War Biking in Dublin

On Friday I was interviewed by RTE News on the dangers of using free wifi hotspots and what you can do to protect yourself. This is something Lee covered before on this blog.

The interview was as a result of the wonderful James Lynne from Sophos. James has done warbiking in various cities. This video is from his experiments in London

Talking about the results of his trip around Dublin James says that Dublin City is WiFi Saturated. Interestingly only 4% of networks in Dublin were using WEP, compared to 9% in other cities. James also set up a fake hotspot to see how many people would connect to it. Despite being warned the network was not secure over 1,000 people connected to the fake hotspot. Interestingly James noted that 9% of people connecting used a VPN or other secure means to connect, much better than the average in other cities which was 2%.

So why the figures are better than in other cities there is still a long way for us to go to make our wireless networking more secure.

James and I were interviewed by RTE News and you can get more information and see the video of the interview here.


Thank You Lee

lee-munsonAs many of you know Lee Munson has done sterling work as our Social Media Manager over the past 18 months or so. He has provided excellent material to our blog and has been instrumental in it being recognised as one of the top security blogs around. Our following on our Twitter account (@bhconsulting) has grown as a direct result of Lee’s hard work.

Lee has proven to be the ultimate professional in running our social media platforms. The quality of his work speaks for itself. So it was with mixed emotions that I received an email from Lee announcing his resignation from BH Consulting as he wants to explore new opportunities.

I am delighted that Lee is moving his infosec career onward and upward and I wish him all the very best. Lee will be a great asset for any organisation that he works for in the future. I will miss his contributions to our success as a company.

Best of luck Lee in all you do for the future. As always there is a welcome for you anytime at BH Consulting.

Thank you for all you have done


£££ Or Privacy? Either Way, UK Smart Meters Need To Get A Whole Lot Smarter

Are you looking forward to receiving your shiny new smart meter? If you live in the UK it doesn’t matter whether you answered yes or no to that question because, soon enough, you will be getting one whether you want it or not.

It doesn’t matter that the Public Accounts Committee thinks that the new tech will only save the average household a mere £26 a year because the government, via the Department of Energy and Climate Control, wants to press ahead anyway at a cost of £10.6 billion, or £215 per household.

Whether the economics of installing smart meters vs the potential benefit to the climate are worthwhile is a matter of opinion but what is for certain is the fact that experts in the field have concerns over the implementation of the devices and their susceptibility to hacking.

During a meeting of the Westminster Energy, Environment & Transport Forum earlier this week, KPMG’s Alejandro Rivas-Vásquez highlighted how recent issues in Spain could have a bearing upon the Smart Meter Implementation Programme in the UK.

Commenting on how flaws discovered in the Spanish programme could affect the UK scheme, Rivas-Vásquez said:

“Spanish researchers recently found fundamental security flaws in the design of smart metering devices deployed across the Channel. Arguably, these flaws should have been identified by the Spanish deployment team, long before the meters were fitted in households. In the UK, whilst CESG has issued security specifications for smart metering vendors to prevent this type of issue, a need for overseeing compliance should not be underestimated by Ofgem and DECC.

Not long ago, we saw similar technologies being hacked for fraudulent activities here in the UK, when prepaid metering top-up keys with false credit information were cloned and sold to customers. The lessons learned from that incident demonstrate security controls are needed in and around the individual devices, and also all the way up to the suppliers.”

Even though the UK published guidelines for protecting and securing smart meters in August of this year, Rivas-Vásquez reiterated the need for independent security and privacy assurance, saying:

“A smart meter implementation programme is a complex matter at the heart of our critical infrastructure, involving many interconnected parties but the programme is only as secure as its weakest link. That’s why in the UK, the Smart Energy Code makes specific arrangements for independent security and privacy assurance activities to take place, within each of the parties of the programme.”

Even though the thought of having household items hacked tends to worry consumers on the privacy level, such as in the case of the far too smart TV that can eavesdrop on conversations, the government and other bodies behind smart meters, perhaps unsurprisingly, seem to have their collective eyes on the bottom line and the damage that fraud could do to corporate profits:

“The Spanish research shows smart meters could be hacked to under-report consumption and this should act as warning to the GB programme.”

That said, there is at least a recognition that the bad guys could be smart enough to cook up other nefarious plans involving the soon-to-be-thrust-upon-us meters that give us our own bit of IoT, whether we desire it or not:

“If the technology could be hacked for fraud, hackers with more nefarious intent may use these flaws for other purposes.

The pace at which research data is analysed and then corrective action is taken also needs to improve. Industry and regulators need to be swift in the consultation process, so that we move away from point-in-time security solutions. Cyber criminals and cyber terrorists are improving their capabilities very quickly.”

Close Encounters Of The Security Kind: 94% Of Businesses Suffered From A Security Incident In The Last Year

Do you think that data breaches and other security incidents are a peril that only befall the largest of organisations?

If so, think again.

New research from Kaspersky Lab, in collaboration with B2B International, reveals how 94% of all the businesses within the survey have suffered from at least one security incident in the last year, a rise of 3% over the previous period.

With a total of 3,900 responses from companies of all sizes across 27 countries the report concluded that spam represented the largest external threat to companies, having been identified by 64% of those questioned. By way of comparison, last year the biggest threat was named as viruses, worms, Trojans and other types of malware.

Of the companies that experienced a security incident some 12% said that the attacks were targeted, a significant rise from the 2012 and 2013 reports which discovered that such attacks only affected nine percent of companies.

Given the proliferation of data breaches recently it is good to see that thirty-eight percent of the companies surveyed said that protecting confidential data was their top priority, though I would still like to see that figure increase in the future.

When things go wrong and data is compromised companies tend to lose their own data most often with 43% of the respondents saying that internal operations data was compromised and 22% reporting that financial data was lost. Client data was lost during thirty-one percent of security incidents.

Encouragingly, the survey respondents indicated that of all the types of data that could be lost, customer data was the type that concerned them the most (22%). Not so encouragingly, only 7% of companies thought that the loss of payment information was a worst case scenario.

Whatever the end result of a security incident, the costs were significant. Just one incident was found to do up to $2.54 million (£1.58 million) of damage and the average cost of a security snafu was damaging to the tune of $720,000 (£447,000) according to the report. Looking specifically at smaller business, the report concluded the average cost of an incident to be $42,000 (£26,000). Interestingly, the figures reported by UK businesses show how British firms have it tougher than other countries with average incident costs running between 67% and 130% higher. Only Brazilian firms recorded a higher average cost per incident within the enterprise.

While the report shows some encouraging signs in the way that businesses of all sizes are recognising the threats posed by security incidents in general, and targeted attacks specifically, there is still a long way to go in terms of raising awareness as Chris Doggett, managing director of Kaspersky Lab, North America, explained:

“The survey results clearly indicate that many businesses now recognise that the threat of a targeted attack is very real and could be very harmful for their organisation. However, we are seeing that the number of companies that are actually taking that knowledge and turning it into an action to protect their organisation from such attacks is still alarmingly low.

If people want to break into your organisation, they will. Rewards are so much higher and the risk is so much lower than physical attacks that organised crime has gotten into it. But the attacks are difficult to protect against because they defy traditional security measures such as firewalls. Criminals can be so covert that they can stay on your system for years without being detected.”

As I wrote on Monday, far too many businesses are investing all their eggs in the firewall and anti-malware basket and nowhere near enough are hatching in the cradle of awareness training which is so vital in terms of educating staff to look out for and avoid some of the more obvious and damaging attacks that a business can face. And, if any more proof was needed that staff need help in understanding security risks, another Kaspersky Lab report released today shows that 1 in 8 users don’t believe that security threats are even real (it’s a conspiracy?) and 32% are not even aware that their online accounts are at risk (think what that may mean within the context of your organisation).

Philip Lieberman: Companies Need Better Awareness and Better Trained IT Staff To Deal With APTs And Other Threats

A new survey from Lieberman Software Corporation has revealed that 78% of IT security professionals retain their faith in firewalls and anti-malware tools, saying they are robust enough to combat modern advanced persistent threats.

Such findings, Lieberman says, highlight the fact that while cybercrime continues to rise, many organisations are still dangerously relying on outdated perimeter security solutions to defend against the latest threats.

Conversely, the survey, which was undertaken during Black Hat USA in August 2014, also revealed that 22% of those surveyed thought tools such as firewalls and antivirus were unable to offer a sufficient defence against APTs.

Lieberman believes that figure should have been much higher considering how many organisations now suffer from advanced targeted cyber attacks. The company’s CEO, Philip Lieberman, said:

“Our survey reveals that while the majority of organizations are prepared for amateur hackers and low-level criminals, they are completely ill-equipped to deal with today’s advanced attacks. Traditional perimeter security products are effective at spotting and stopping known threats, but they can’t keep up with today’s rapidly increasing volume of advanced targeted attacks. The most effective methods for securing yourself from these types of attacks are the use of air-gap networks (machines not connected to the internet) that disconnect systems with sensitive data. Assume that others have already penetrated your network and institute multi-factor authentication and adaptive privilege management to assure that a compromised system is not a jumping off point for an organisation wide attack.”

Cybercrime is arguably running at an all time high with many stories with the media covering many stories recently, from data breaches at Staples and Home Depot to bogus chip and pin credit card charges.

There have also been stories about Russian cybercrime gangs infecting hundreds of thousands of PCs around the world with malicious software used for stealing banking credentials and extorting computer owners, the perilous nature of outdated ATM infrastructure and, of course, the continued posting of compromised passwords online, again and again.

These stories should, says Lieberman, act as a warning to encourage organisations to implement proper defences which can cope with today’s advanced targeted attacks.

Lieberman added that organisations need to look beyond perimeter products and consider security awareness as well as better training for their IT staff:

“The latest targeted cyber-attacks on government organisations and high-profile companies show the need for better awareness and responsiveness in cyber security. Organisations should no longer be solely dependent on perimeter security products, like firewalls and intrusion detection, to protect their systems. Today they need IT staff who are better trained to identify potential attacks, and defense-in-depth security solutions that can restrict lateral movement in the network when attacks do manage to penetrate the perimeter.”

Security Awareness – It’s Not Just For Staff And Kids

You don’t need to be an information security professional to be considered a computer expert by the majority of people. Just knowing your way around an operating system – preferably Windows – is sufficient to attract cries of help your way.

Its unfortunate but that is the way it is. There are far too many people who are impressed by the fact that you can crop an image, or print a document.

But who are those people?

If, like me, you spend an inordinate amount of time on social networks (well, ok, just Twitter in my case) in the company of security personnel, then you may be forgiven for thinking that it is just employees who require an urgent injection of security awareness so that they can be better prepared to defend the company’s digital assets.

But is it really the case that only employees need help where computers are concerned?

Maybe it is the elder people (a growing demographic) in society who also need assistance and training in order to safeguard their personal information and dwindling pensions?

I can understand why that group of people may be the first to come to mind. After all, people of pensionable age and over were not brought up with computing devices and modern technology in general can be a barrier for them.

But, hey, her Maj seems to be fine with tech, so perhaps it’s training rather than age that counts?

I know in my own life that my grandfather, who is closing in on a hundred years of age now, is a dab hand at surfing the internet and troubleshooting the more common issues associated with computing. And that is because he went to a computer class at his library back when he was 92. He picked things up quickly but others didn’t and so the instructor never thought to mention a thing about the threats online lest it should confuse people.

Shame on him.

But, moving on from the more elderly people in society, my experience is that it is the younger people who actually struggle the most.

More fool me perhaps, but some people where I work (that’s retail not security by the way) learned that I have an interest in computers (but not security specifically – some things stay private). As a result, I seem to have an almost endless stream of computers, laptops and netbooks appearing in front of me during tea break. And I only get 15 minutes out of a whole shift!

So what sort of people need my help?

All sorts. Where I work the staff represent just about every level of diversity you could think of but on my shift we are missing one demographic which is the elder person (I’m the oldest actually. Yikes!)

Everyone is mid-30s or younger and none of them have a clue. But they are not typical inner-London school dropouts (that’s a fallacy anyway), but rather ex-college students, current university students, and we even have a couple of first class degrees on my shift – thank you Mr Recession.

None of them know jack about computers or security though. They are fairly competent with technology and the devices they have while they are working as they should but as soon as they go wrong they’re lost.

Just this week I’ve discovered how one team member’s son had been viewing videos that are, let’s say, incompatible with their faith, despite his dad installing parental controls (his son is far more tech savvy than he is).

Another had what I imagine is every parent’s worst nightmare on his laptop – the always on but light not shining webcam that was recording who knows what when anyone was in front of the screen.

A third member of my team this week borrowed a colleagues mobile phone, got her to say her passcode in front of everyone and then used it as a hotspot to get online on his netbook so he could do some online banking. One cup of tea too many and he rushed to the gents, leaving his PIN reader and bank card on the table, not to mention he forgot to sign out of his account.


But oh so common.

Thankfully, moves are afoot to address the general lack of knowledge and security awareness within the UK but I can’t help but feel it isn’t enough.

It’s great that kids will be encouraged to code at school and employees are being trained to look after company, data but we’re still missing out large swathes of society.

Nothing good can come from that in my opinion and it’s hard to see how the situation can be rectified.

Sure, we have Get Safe Online week and all that, but no-one I know outside of security circles has heard of it, let alone learned from it.

Remember people: security awareness is for everyone, not just Elizabeth R, young kids and employees.

Microsoft Warns Users Over PowerPoint Zero Day, Releases Fixit

Microsoft has warned Windows users that cyber criminals are exploiting a zero-day vulnerability using malicious PowerPoint documents.

The vulnerability affects all versions of Windows except Windows Server 2003.

Microsoft has already released a Fixit tool that neuters known PowerPoint attacks but there is a risk that new attacks may yet spring up. The fix, found here, is not available for 64-bit versions of PowerPoint run on 64-bit versions of Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2.

The exploit is a remote code execution vulnerability which means a successful attack would allow an attacker to hijack a PC after a user opens up an affected Office document, potentially opening the door for further attacks in the form of other malware then being planted, or to the theft of personal or sensitive data stored on the target machine.

In the case of a successful attack, the infiltrator would have access to the same privileges as the user which could be a significant problem for those who log on as an administrator, or those who get waylaid by a User Account Control (UAC) prompt that appears when the document is opened – Microsoft reports that a UAC prompt appears in every attack it is aware of.

While a UAC prompt appearing upon the opening of a document is not normal, many users may not be aware that is the case, again highlighting why security awareness is so important both within the business realm and among home users.

Of course it isn’t only Microsoft Office documents that pose a threat here – other files could do too if the corresponding application supports OLE (object linking and embedding) objects.

Commenting on the news, Sagie Dulce, security research engineer at Imperva said:

“This was recently discovered by iSight. They exposed a Russian hacker group they call SandWorm.

This vulnerability was used for the initial compromise. Using social engineering, this group gained initial foothold on machines, by convincing the victim to open a PowerPoint document.
The victim also had to click “allow” when opening the file, to allow a malicious code to be executed.

“According to iSight: “there have been several confirmed incidents in Ukraine, Poland, Western Europe and the United States since at least 2009. NATO, the public sector and private firms in energy and telecommunications have been targeted.”

“The malware identified related to this attack is BlackEnergy. Early version of which were used for DDos, spam and CC theft.

Because this campaign seems to be government sponsored, the malware was probably used to download additional components after the initial exploit (and not perform DDoS..)

“Apart from the newest zero day, these attackers exploited a range of Office related exploits, dating back to 2010.”

While Mark Sparshott, EMEA director at Proofpoint highlighted how the bad guys could employ phishing techniques to get infected emails onto a target system:

“Object Linking & Embedding (OLE) is legitimately used to display parts of a file within another file, e.g. to display a chart from an Excel Spreadsheet within a PowerPoint presentation. This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

The race is on. Cybercriminals will use phishing and longlining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself. While Microsoft and security vendors rush to close the security hole the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place. Organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files, unfortunately Proofpoint’s Human Factor Report highlighted that staff click on 1 in 10 malicious links on average so cybercriminals will see a lot of success before the security gap on this vulnerability is closed.”

Mark James, security expert at ESET made the point that the end user would need to initiate the attack in some way, thus highlighting yet again how technology can only take security so far:

“These particular attack vectors are created from a number of opportunities, either the user must be directed to an offending website or an email containing the compromised file would need to be opened. If directed to a website then an email containing a link with a promise of a reward or benefit would arrive in your inbox, which, if clicked, would present you with in this case a PowerPoint show or presentation (All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object) again containing some kind of enticing properties (celebrities are often used in these cases). If you are tempted to click and open the file you could open up the possibility of being infected by further malware.

Obviously in this case, and many other similar scenarios, the end user must initiate the means to be infected. User Account Control (UAC) will help protect you in these cases and is on by default in operating systems from Vista onwards. Users should also always be mindful of emails containing links or files even from sources they trust. It’s better to delete and ask the sender to send again than to chance being infected and opening up your whole business network to malware attack. Also, wherever possible, do not use an administrator account when working with emails. These vulnerabilities take on the same access rights as the account that executed the file, if that is full admin rights then you’re in a whole world of trouble.”

Lamar Bailey, director of security research and development at Tripwire played down the threat posed by the zero day, saying:

“This is not a major issue. The vulnerability is just an escalation of privilege issue and requires a watering hole attack and/or persuading the victim to open a file to exploit.  If a user can be convinced via email, instant message, social media, or in some manner to open a PowerPoint attachment then the attacker will gain the same user rights as the current user.

If the current user has the ability to install programs or access critical systems in the environment this could be used by attackers to gain a foothold in a network and the exploited system would be used as a base of attack.

Users should know better than to open attachments from unknown sources in email or downloading documents from random internet sites. A successful attack will likely spoof and email from an internal user or put a malicious file on a compromised site.”

While I agree that the issue shouldn’t be a major one for the reasons Lamar mentions, it is unfortunate that in 2014 not every user understands the need to be careful when opening emails or downloading documents, whatever their source.

Until at least a moderate appreciation of security issues is held by the population at large, such attacks will still, alas, continue to be successful for those that launch them.

Get Safe Online Week: Help Yourself And Others With These 20+1 Tips

Today the UK sees the start of the ninth annual Get Safe Online Week. The initiative is designed to raise awareness of all things ‘cyber’ in an effort to protect home users from the ever present online threats of fraud, identity theft, harassment and other equally serious issues.

During the week Get Safe Online will be issuing tips and advice on how to stay safe when using your computer, smartphone or other devices, as well as publishing new research on attitudes towards online crime and looking at the experiences of those who have fallen victim to the same.

In anticipation of what may be presented this week, we here at Security Watch hereby present our own quick tips which can help you beef your own security up in next to no time:

  1. Install security programs on all of your devices and keep them up to date at all times
  2. Never open email attachments if you are not 100% sure of who sent them and be careful even if you do.
  3. The same goes for clinking on links in emails, especially when the sender appears to be a trustworthy organisation such as your bank
  4. Maintain regular backups of all your data – you never know when disaster will strike
  5. Always update your operating system as soon as patches are released
  6. Think before you post anything on social networks – the information you give out can be used against you by thieves and online attackers. It could also get you into hot water if you say the wrong thing.
  7. Always create strong passwords and never share them with anyone under any circumstances
  8. Struggling to remember all of those passwords? Use a password manager and never be tempted to use the same login credentials across a number of sites
  9. Only connect to networks you can trust – public, insecure hotspots may allow an attacker to eavesdrop
  10. Always type web addresses into your browser instead of relying on links, especially for sites where you then have to enter data. Check your spelling and, for sites that ask for personal information, look for a padlock icon in the browser and a URL that begins with HTTPS rather than HTTP
  11. Only download new apps from the official stores such as Google Play and Apple’s App store – the apps found on third party sites may not be what they seem, or may contain nasty surprises
  12. Take advantage of two factor authentication where available to add an extra layer of security to all of your online accounts
  13. Secure you own network – make sure it is encrypted and hidden (not broadcasting its Service Set Identifier (SSID)) and that it is protected by a password (remember that many routers come with a widely known default username and password so change both if possible)
  14. Protect your kids – set up parental controls but remember there is never any substitute to taking a keen interest in what your children are doing online
  15. When shopping online always use a credit card where possible as it will offer a higher level of protection should anything go wrong
  16. Never leave mobile devices unattended and always protect them with a PIN number or passcode
  17. If you share a computer be extra careful about what you use it for and consider erasing your tracks when you have finished with it
  18. If you haven’t heard of Edward Snowden search now to find out what he has to say about government surveillance. Next, consider using a Virtual Private Network or a service such as TOR for all your future web surfing needs
  19. Get used to reading banking and credit card statements whenever they arrive – they can provide a heads up should someone have compromised your plastic or your identity
  20. Keep abreast of the latest security developments by staying on top of the news and adding some of the key industry websites to your reading list – many websites offer up lists of recommended security blogs and here are a couple to get you started – http://www.rasmussen.edu/degrees/technology/blog/top-cyber-security-blogshttp://www.securityinnovationeurope.com/blog/40-information-security-blogs-you-should-be-reading

And for those readers who are already doing all of the above (you’re an infosec professional, right?) here is a bonus tip:

  • 21. Sign up to Give01Day and help share your undoubted expertise with UK charities which could seriously benefit from your generous support.

Brain And The Next 28 Years Of Malware (Infographic)

Part of getting older is looking at the next generation and marveling at how easy they have things, or their lack of knowledge of key things we grew up with.

Take the record player for example, or even the cassette tape – my kids don’t know what either of those are, and my youngest hasn’t ever used a CD, having grown up entirely with those MP3 things, whatever they are.

Its the same case with computing. My older children remember installing games and programs from DVD but my little one doesn’t even have an optical drive on her desktop – its USB sticks and downloads for her.

The same thing cannot be said for malware though.

Us oldies did have it easier in many respects, even if those who came after us are blissfully unaware of the fact that viruses were in circulation long before Erwise, Mosaic and Netscape ushered us into a pre-NSA era of information overload on the new worldwide web.

In January of 1986 the first virus in history was created in Pakistan, as discovered by Mikko Hypponen:

Following that, more viruses soon appeared and, like Brain, were spread via floppy disk, another antiquity that many internet users today will never have seen nor heard of.

Those early viruses were nothing like the ones we see nowadays though.

Early malware was, at worst, disruptive (wiping drives) and, at times, humourous (remember the ambulance that also featured sound?) in nature. It was largely produced by what is now a poor stereotype for a hacker – kids in their bedrooms, who were learning coding and having a bit of ‘fun’ along the way.

Unfortunately, subsequent years have seen a huge shift in the way malware is developed, and in its intention, as seen in the infographic below:

Infographic - a history of malware

Modern malware, as you can see, is now the preserve of not one individual coder but large organised gangs. The intention of such malware has changed dramatically too. Mere mischief is a thing of the past – today’s viruses are all about generating huge profits for online criminals and for arguably far more nefarious purposes too when those behind them have affiliations to nation states.

In 2014 malware is still breathing strongly, 28 years after it first appeared. Floppy disk attacks are long gone but email and internet attacks are here to stay and seemingly lurking around every corner.

Sure, defences are much improved too, but the fact that malware keeps evolving just keeps on ramming home the point that security is a reactive rather than proactive industry.

As such, you can never be one step ahead of an attacker, only as best prepared as possible.

So what have you done to secure your personal devices, your employees’ machines and your business networks from not only malware but all the other threats that technological ‘advancement’ has brought?

Poor Password Habits Cost Businesses £261 Per Employee Per Year

Poor password habits are, on average, costing businesses £261 per employee each year as staff struggle to manage a growing number of login credentials.

According to new research from Centrify, an average sized business with 500 employees is losing £130,500 per year through lost productivity.

Respondents to the survey of 1,000 UK workers were asked to estimate how much time they spent each week in managing their passwords. the average loss of £261 per employee was then calculated by totting up how much time they said they spent on entering login details, trying to remember forgotten passwords and contacting administrators to reset passwords.

The survey did not assess the associated costs connected to poor password management but we can take a look at recent data breaches to gain an idea of how people and their security habits, or lack thereof, can be an important aspect for organisations of all sizes.

Barry Scott, EMEA chief technology officer at Centrify, said:

“In our new digital lifestyles, which see a blurring of the lines between personal and professional lives, we are constantly having to juggle multiple passwords for everything from email and mobile apps to online shopping and social media.

According to our survey, over a quarter of us now enter a password online more than 10 times a day, which could mean 3,500 to 4,000 times a year. This is becoming a real challenge for employers who need to manage security and privacy concerns and for employees who are costing their companies time and money.”

The survey discovered that 47% of respondents use their own devices for business purposes but just over one third of those questioned said they did not secure their own mobile tech with passwords at all, despite storing confidential and business critical information on them.

Worse yet, employees who did use passwords still engage in the same risky practices that security professionals have been warning about ever since time began:

  • Reusing the same password whenever possible
  • Continually cycling through a small list of passwords
  • Keeping a written record of all passwords
  • Concocting passwords based on personal data
  • Not using upper and lower case characters and ignoring symbols when making a new password

Such admissions are a concern, especially when you consider that over a quarter of the respondents said they had to enter 11 or more passwords a day, which may explain why 41% described forgetting a password for an online account as “very annoying” and a bigger aggravation than losing their keys (39 percent), finding their mobile phone battery was flat (37 percent) or receiving a spam email (31 percent).

Further insight into how non-security personnel view password management comes in the form of comments from respondents who complained about the hassle of managing their login credentials – 13 percent said they would rather spend an hour on hold on a customer service line, 12 percent would prefer to be stuck next to a crying baby on a flight, 17 percent would set their mobile ringtone to The Macarena for a year and 7 percent would choose root canal treatment over having to remember their passwords.

It is perhaps unsurprising to then learn that a third of all respondents admitted they had permanently lost access to an online account through forgetting a password.

If this sounds like you then you need a password manager and/or some good password tips. If you recognise such an attitude toward passwords among your employees then you may be in need of some security awareness training to help your staff understand how their actions can affect the business, as well as their own privacy and security.