A fundamental lack of IT security awareness – particularly in the area of password control and privileged logins – is potentially paving the way for more waves of data breaches, new research reveals.
Conducted by the Lieberman Software Corporation, the Password 2011 survey paints a vivid picture of password chaos among IT professionals and a general apathy about password security among their senior management.
More than a quarter of the 300 surveyed IT professionals said they were aware of an IT staff member abusing privileged login information to illicitly access sensitive information.
At the same time, nearly half of the IT professionals surveyed said they work at companies that are not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the key reasons hackers are still able to compromise the security of large organizations.
"This survey shows that despite the huge number of frequent data breaches, over the past 12 months senior management in many organizations have not yet grasped the fundamentals of IT security," Philip Lieberman, President and CEO of Lieberman Software, said in a prepared release. "Password anarchy among the IT staff at major organizations is mirrored by password apathy at the top of the management hierarchy, where senior management seem almost criminally lax in the enforcement of IT security policies, to the detriment of their organizations."
The survey also found that the sheer volume of passwords needed by IT professionals could be a source of the problem.
Nearly half of the IT professionals surveyed said they had 10 or more passwords to remember for work, while 42 percent said IT staff in their organizations are sharing passwords or access to systems and applications.
"Management will have to pay far more attention to their basic security practices or be forced to apologize to their shareholders and customers for major data losses and subsequent damage to brand loyalty," Lieberman said. "The simple, unpalatable truth is that senior management generally is not policing their IT security departments enough to avoid further massive data breaches."
Morgan Slain, CEO of SplashData, a developer of password management solutions for smartphones and personal computers, said there are a number of password safety measures businesses can establish to ensure the safety of critical data.
One step, according to Slain, is to use secure passwordsof eight characters or more. He said one way to create secure passwords that also can be remembered is to use phrases with short words and spaces in between, like "eat cake at 8!" or "car park city?"
"They are easier for people to remember and quite secure," Slain told ITTechNewsDaily.
In addition, Slain suggests never using the same username/password combination on multiple sites or applications. Since many websites don't adequately protect that information, Slain said hackers are able to obtain the data from the servers and try the same username and password combinations on more valuable sites and services like email, online banks or PayPal.
"There is a cascading risk that you incur," Slain said.
For those with numerous passwords, Slain advises organizing them on some sort of secure password management application, a digital safe of sorts, rather than writing them all on a slip of paper.