Content, Content

Survey: Employees’ Cybersecurity, Password Management Practices Getting Worse


Employees’ cybersecurity practices aren’t improving. In fact, they’re getting worse, a new global survey of 1,600 workers found.

Juliette Rizkallah

Considering the skyrocketing numbers of data breaches and the hits companies take from digital heists, the lax security habits of workers are particularly disconcerting, said SailPoint, an identity management provider, in its 10th annual Market Pulse Survey.

It’s a persistent problem, wrote Juliette Rizkallah, SailPoint’s chief marketing officer, in a blog post. “When you combine this with the new challenges ushered in by the digital transformation, the IT landscape becomes even more complex and difficult to secure,” she said.

Key Focus Areas and Findings

SailPoint's report covers three key issues facing organizations:

  • Users’ bad security habits.
  • Increasing friction between IT and business.
  • Newly emerging threat dynamics.

Employees are not honoring cybersecurity best practices:

  • 75% of employees reuse passwords across different accounts, including nearly 90% of 18–25 year-olds. (Note: In 2014, 56% of employees admitted to reusing passwords across accounts).
  • 23% change their work passwords two or fewer times a year.
  • 15% of users would consider selling their workplace passwords to a third-party.

“In just four years, the number of employees who reuse passwords has increased almost 20 percent, which is even more concerning when you consider the domino effect that can occur from this risky action,” wrote Rizkallah.

Employees and Corporate IT: The Disconnect

Employees are frustrated with IT and looking for ways around them:

  • 55% say IT is a source of inconvenience.
  • 31% of employees admitted to using shadow IT. (Note: In 2014, 20% of employees admitted to using shadow IT).
  • 13% would not tell IT immediately if they had been hacked.
  • 49% would blame IT for a cyber attack that occurred as a result of being hacked.

“Employees may not mean any harm when they go around IT’s security protocols, but at the end of the day, they are still creating more risk for IT teams to manage. Even worse, while employees are not interested in following IT’s mandates, they can be quick to blame IT when things go awry,” Rizkallah said.

New technologies are creating new areas of risk for organizations:

  • 48% are using AI chatbots/personal assistants.
  • 44% would rather the personal information of their company’s customers was hacked than their own personal information.
  • 66% do not know what the GDPR is.
  • 63% believe every employee plays a role in GDPR compliance.

“We hoped to see an improvement in employees’ actions based on the influx of data breaches and the growing concern over privacy," said Rizkallah. "However, this year's findings proved that not much has changed. In fact, the same workforce that IT is trying so hard to protect is making their job much harder by not adhering to cybersecurity best practices or good password hygiene.”

MSSPs and MSPs: Identity, Access & Password Management

Amid those realities, multiple companies are moving into the MSSP- and MSP-centric password management or identity and access management market.

For instance, SailPoint has a range of enterprise-class MSSP partners -- including such Top 100 MSSPs as Herjavec Group and Optiv. Also, companies such as IT Glue, Myki and Passportal offer MSP-centric password management solutions.

Additional insights from Joe Panettieri.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.