A survey conducted by Liberman Software at the 2014 RSA Conference in San Francisco has revealed that just over 13% of IT security professionals admit that they are still able to access previous employers’ systems by using their old credentials.
The survey queried 280 IT security professionals, of which 55% worked in organisations employing over 1,000 people, and looked at their attitudes toward password management and cloud security.
It revealed that many organisations continue to fail to implement effective password security practices as 23% of those surveyed said that they were still able to access not only their previous employers’ systems, but also those of the employer before that too. Even more alarming is the fact that 16 percent of those questioned said that they can still use old credentials to access the systems of all their previous employers.
The survey also discovered that nearly 20% of those surveyed do not have, or do not know if they have, a policy to ensure that former employers and contractors can no longer access systems after leaving the organisation. Also of note is the fact that nearly a quarter of the respondents indicated that they work in organisations that do not change their service and process account passwords within the 90 day time frame commonly cited as best practice by most regulatory compliance mandates.
Lieberman Software’s CEO and President, Philip Lieberman, said:
“The results of this research shows that a fundamental lack of IT security awareness in enterprises, particularly in the arena of controlling privileged logins, is potentially paving the way for a further wave of data breaches. Organizations must implement a policy where privileged account passwords are automatically updated on a frequent basis, with unique and complex values. That way, when an employee does leave the company, he is not taking the password secrets that can gain access to highly sensitive systems.”
On a more positive note, the survey discovered that almost 84% of the represented organisations have a policy in place to ensure that contractors cannot access corporate systems after they leave the company. On the flip side that does of course mean that around 16 percent of respondents therefore had to admit that their organisation either does not have such a policy or, if it does, they are not aware of it.
With the survey results suggesting that many organisations could benefit from improved password security, Lieberman added:
“Companies and government agencies should not take such a lax approach to password management, especially given the attention that the Edward Snowden / NSA scandal has received. Basic security best practices include minimizing the insider threat and sophisticated criminal hackers by managing the powerful privileged passwords that grant access to systems containing sensitive data.”
Considering the findings of this report, along with the knowledge that the passwords within your business may be weak or even shared, what are you doing to ensure a strong level of security is maintained in this area?