Taking control: Why organisations must protect passwords with a comprehensive password management strategy

Imagine the only thing standing between the attackers and your sensitive data and assets are passwords — and poorly protected ones.

Despite the danger and risk they pose to an organisation, password management is often neglected. The majority of organisations still rely on traditional and outdated password management tools — leading to ‘password fatigue’ — and even more crucially, fail to utilise enterprise-grade protection to safeguard the fort.

Scarier still, many of the apps used in the workplace don’t leverage modern identity protocols. Even though most modern apps integrate with single sign-on solutions to sidestep password management woes, some apps still require a stand-alone username and password credentials. The result? Employees need a way to access these business apps seamlessly, from any device, at any time.

Making matters worse is that any user can become privileged in the right circumstances based on the resources they’ve gained access to, leaving companies vulnerable and in constant danger of security breaches.

Certainly, the problem is complex. And while many organisations may have security-first controls in place to protect the credentials of privileged users, what about the credentials used by the rest of the organisation?

When 921 password attacks occur per second, it is time to treat everyday employees’ credentials like the true operational risk they are.

Workers now have a shocking amount of access to sensitive resources, with 52% of employees having access to sensitive corporate data according to CyberArk’s 2022 Identity Security Threat Landscape report. Cybercriminals certainly don’t discriminate and will inevitably exploit lax practices to breach an organisation’s network and seek ways to heighten their access. And it’s a goldmine of opportunity considering the average employee has around 100 passwords.

Four of the common pitfalls when it comes to passwords are:

• Easy to guess and not in keeping with password strength requirements;
• Reused across corporate apps, personal apps and social media;
• Stored unsafely in spreadsheets, sticky notes and web browsers; and
• Passed from one user to another through email, messaging apps and more.
   

In fact, it’s these lax password behaviours — 82% of breaches are linked to the ‘human element’ according to Verizon’s 2022 Data Breach Investigations Report — that come amid an ever-evolving threat landscape and a cybercrime atmosphere that’s ‘next-level’ frightening.

Just consider the latest security breach numbers. According to the recent OAIC report, compromised or stolen credentials and phishing are the second and third most prominent methods used by cybercriminals to gain initial access to an organisation’s networks or systems, and the source of respectively 27% and 23% of cyber incidents in the second half of 2022.

Equally worrisome — even the password management experts aren’t immune to the latest cybersecurity breaches. LastPass was recently exposed to two consecutive attacks where attackers exploited the stolen login credentials of a senior DevOps engineer — pilfered in the first attack — to then access a shared cloud storage environment containing backups of customer data in its second attack.

Five Steps to Success

So, what can be done to help mitigate these password management woes? The first thing to consider is managing workforce passwords and securing them by protecting them and maintaining complexity over time.

Moreover, recognise that all workforce users’ passwords should be protected with the same security-first approach that organisations apply to privileged users’ credentials. If attackers are treating employees’ credentials like they’re privileged, then so should we.

Overall, when frequently used business applications are accessed outside of an enterprise’s security controls, organisations cannot track access activity, control password complexity and revoke access to applications when no longer needed.

So how do you get ahead of it? There are five steps that any security team looking to improve how they safeguard workforce credentials should explore.

1. Intelligent Authentication

This first step is essential to blend intelligent authentication with an enhanced user experience. This calls for an adaptive form of MFA that can adjust the difficulty of authentication challenges based on real-time insights on user behaviour.

2. Security-first Storage

This step involves looking for ways to introduce vault-based storage for workforce credentials, with the flexibility to devise how accounts and credentials are stored, managed and retrieved. For example, an enterprise-grade tool could provide a security admin with options to automatically store new credentials in self-hosted vaults and allow users to retrieve them without connecting to a VPN.

3. Safe credentials management and sharing

This step enables users to securely share credentials without revealing passwords, but also grants the ability to: protect privacy by controlling who can share, view and edit credentials; impose time limits on user access to specific apps; and manage the transfer of credential ownership to new users.

4. End-to-end visibility

This step requires security controls to continue past the point of authentication. Here, enterprises should look for ways to require an extra layer of protection that allows them to monitor and record all actions once a user is logged in — backed up by a full audit trail.

5. Frictionless and secure user experience

This step requires enterprises to manage and secure workforce passwords that can: integrate easily with corporate directories and third-party identity providers; recognise when users are entering credentials and offer to save them in a secure, vault-based location; securely auto-fill credential fields for a smooth and quick log-in experience; and generate unique and strong passwords for users whenever needed.

Certainly, these five essential steps that comprise a holistic, risk-based approach to Identity Security help companies apply privilege controls across the board — underscoring the fact that increased complexity calls for stronger controls for sharing and transferring passwords.

Better still, it’s a comprehensive strategy that’s timely given the bulging amount of sensitive data that employees can access every day, and that also prevents workers from taking the kinds of shortcuts that can unwittingly create openings for bad actors to infiltrate your network.

Sound like a good place to start? To access even more insights and to dig deeper into the complex password management arena, visit the whitepaper here.

Image credit: iStock.com/RayaHristova