Passwords on the rise despite evidence that they are increasingly unable to protect, finds Thales
29 per cent of organisations across the Middle East and Europe see usernames and passwords as one of most effective access management tools, despite inherent weaknesses
According to the 2020 Thales Access Management Index – Europe and Middle East Edition –nearly a third (29 per cent) of organisations still see usernames and passwords as one of the most effective means to protect access to their IT infrastructure, two years after the inventor of the complex static password admitted they don’t work. In fact, 67 per cent of respondents indicate that their organisations plan to expand its use of usernames and passwords in the future.
Surveying 400 IT decision-makers across Europe and the Middle East, Thales’s new research found that the majority (57 per cent) of IT professionals revealed that unprotected infrastructure is one of the biggest targets for cyber-attacks. Therefore, any organization utilising it, as a result of business pressure driving them to adopt digital transformation technologies, are likely to be putting themselves at a higher level of risk.
Solving the Security vs. Convenience Conundrum
With the Covid-19 global pandemic causing many companies to work from home, IT departments are battling to provide employees with both security and convenience. In fact, over two-thirds (67 per cent) of IT leaders say their security teams feel under pressure to provide convenient access to applications and cloud services for users, but still maintain security – an indication they’re struggling to balance their digital transformation and security priorities. To this end, 96 per cent believe that strong authentication and access management solutions can facilitate secure cloud adoption. This view is particularly widely held in Saudi Arabia and the UAE, with just over three-quarters (76 per cent) of respondents from these markets believing that cloud access management for cloud and web applications is definitely conducive to facilitating cloud adoption. Over three-quarters (76 per cent) also revealed employee authentication needs to be able to support secure access to a broad range of services including virtual private networks and cloud applications.
Making small improvements
While some organisations still rely on legacy authentication methods like usernames and passwords, growing awareness of the threats is prompting action with almost all (94 per cent) organizations having changed their security policies around access management in the last 12 months. Staff training on security and access management (47 per cent), increasing spend on access management (43 per cent), and access management becoming a board priority (37 per cent), have all seen an increased focus. This is set to pay off in compliance terms too, with two thirds (66 per cent) of UAE and KSA respondents who think that controlling who has access to specific types of data will help them to meet data regulation requirements like GDPR and pass security audits.
“As more and more businesses move to adopt cloud-based services for CRM, email, employee collaboration and IT infrastructure as part of their digital transformation strategies, the struggle to extend old solutions, designed to protect internal resources, to the outside world becomes very problematic. Often, in an effort to adapt to the new working habits of users connecting from anywhere, which is increasingly pertinent right now and will become standard moving forward, businesses tend to revert back to old password-based logins for cloud services in despair. This is knowingly increasing their security exposure to credential stuffing and phishing attacks,” said Francois Lasnier, vice president for Access Management solutions at Thales.
Two steps forward, one step back
Looking ahead, some IT leaders are set to potentially use their influence at board level more wisely, with investment in the use of more secure methods such as biometric authentication (75 per cent) and smart SSO (81 per cent) set to increase in the next year.
When it comes to providing more data for a smart SSO, respondents in the Middle East are far more likely to allow any data to be collected and held if it resulted in a secure smart SSO, with 42 per cent of UAE and KSA respondents stating they would be happy for their organisation to collect and hold more data about them if it resulted in a secure smart SSO solution, and only 4 per cent saying that they wouldn’t allow any more data to be used. This was followed by France with 40 per cent of respondents stating they would happy to share more personal data with 10 per cent saying that they would not allow any more data to be used. These numbers are almost twice as high as those seen in UK (21 per cent), Germany (21 per cent), Belgium and Netherlands (20 per cent).
However, a third (67 per cent) still plan to expand their use of usernames and passwords, which is a similar size to those intending to further utilise passwordless authentication methods (70 per cent), and almost half (48 per cent) of organizations in UAE and KSA would allow employees in their organisation to log on to corporate resources using their social media credentials.
“For a long time, the biggest battle IT leaders have faced is increasing board awareness around taking the threat of security seriously,” Lasnier continued.
“Now that they have that buy in, the focus should be on highlighting the importance access management plays in implementing a zero trust security policy to their executive management. With this in place, risk management professionals will be able to put in place a ‘Protect Everywhere - Trust Nobody’ approach as they expand in the cloud.”