If you’ve wondered why companies keep getting breached through the same old attacks – and why employees can’t seem to train themselves to use strong passwords – a new survey has offered up a simple explanation: many simply don’t care about company security.
Australians were among the most concerned about the security of their personal information and least concerned about their company information, the new Talker Research-Yubico Global State of Authentication survey of 20,000 people in 9 countries found, with 55 per cent worried about personal information but just 8 per cent expressing concern about the security of financial, marketing, R&D, and other company information.
While 31 per cent said they give equal weight to the security of company and personal information, an additional 5 per cent said they don’t care about either.
Suggestions that around 1 in 8 employees is uninterested in protecting company data will be sobering for fatigued security executives that are burning out trying to convince employees, many of whom are working remotely and may perceive workplaces as vague concepts, to help protect the data and systems that keep their businesses running.
Despite widespread availability of stronger security tools like multi factor authentication (MFA) – and, more recently, increasingly common passwordless ‘passkeys’ – 39 per cent of Australians still believe that username-and-password combinations, which are regularly implicated in Australia’s worst data breaches, are the most secure form of authentication.
“With most cyber attacks being a result of stolen login credentials, it’s concerning that so many people still rely on this outdated authentication method,” Yubico vice president of standards and alliance Derek Hanson said as the new figures were released.
“It’s clear change is not just needed,” he said, but “it’s paramount to the future of a world that centres around the internet and living online.”
Source: Talker Research-Yubico
Wide gulf between theory and practice
Many Australians are already feeling the crunch, with 39 per cent admitting having had a social media password compromised; 1 in 5 saying the same about a payment app password; and 12 per cent saying their messaging app password had been compromised.
Such passwords inevitably turn up in data leaks like July’s RockYou2024 – a cornucopia of 10 billion passwords cyber criminals employ for their attacks – yet 9 per cent off Australians admitted that they hadn’t bothered to change compromised passwords after a breach.
Such passwords can give attackers direct access to company systems or cloud applications used by employees, as the US Capitol is currently dealing with after security firm Proton found over 1,800 passwords of US Congressional staff available on the dark web.
Those passwords, which were linked to an estimated 1 in 5 staffers working in the seat of the US government, became a risk because staffers used their work email addresses to sign up for dating, social media, and adult websites that were later breached.
The figures, which were released on the eve of October’s annual Cybersecurity Awareness Month campaign, come after years of education about the importance of strong passwords and recent half-yearly figures that not only flagged a surge in Australian but implicated human error in 30 per cent of them, with an additional 12 per cent caused by phishing attacks.
Despite the risk, just 42 per cent of respondents said their company had previously given them cyber security training, with 26 per cent introducing mandatory training even after employees were exposed to a cyber attack.
Security threats may also be creating workplace wellbeing issues: 40 per cent of Australians in the Yubico survey – the highest proportion of all countries – report feeling “exposed and vulnerable” after a breach, with 19 per cent reporting symptoms of “psychological distress” such as anxiety, poor sleep, poor appetite, and shortness of breath.
Indeed, one-third of respondents felt “worried and disillusioned about their personal information ever being safe again”, highlighting the importance of improving privacy protections and echoing the findings of a recent Reset.Tech Australia survey that found 73 per cent of Australians felt their personal data is “insecure and exposed.”
You can check whether your passwords have been compromised at HaveIBeenPwned.