Jan-Feb 2020 - ChannelVision Magazine

CYBER PATROL I T decision-makers at smaller and mid-market firms are fully aware that password security is one of the most important is- sues facing information security today. According to a survey from WatchGuard, 84 percent of firms with less than 1,000 employees believe that weak passwords are responsible for up to 60 percent of all cyber-attacks. In a separate study from Ponemon Institute, 47 percent of SMBs said their companies had an attack involving the compromise of employees’ passwords in the past year, and the average cost of each attack was $384,598. Those estimates might even be too low, considering a Verizon report from a few years back that found 81 percent of data breaches involved weak or sto- len passwords. One of the most prevalent ways to protect a company’s passwords is multi-factor authentication (MFA), which refers to a method of confirming identity by requiring a user to success- fully present two or more identification factors. In the simplest form, this can be two typed-in factors that only the user knows, such as a password or a PIN. At a higher level, a pass- word can be coupled with alterna- tives to a keyboard entry, such as a fingerprint, barcode swipe or voice recognition. Yet, despite the fact that 64 percent of SMBs surveyed by Ponemon said the use of strong passwords is “an essential part of their organizations security strate- gy,” and a full 84 percent of SMB busi- ness owners and IT decision-makers say their employees know that pass- words best practices are important, more than a third to half of SMBs still have not adopted an MFA solution. “In fact, 58 percent of respon- dents said they do not have, or are unsure if they have, visibility into employees’ password practices,” said Ponemon researchers. It’s not for lack of concern. Most of the businesses surveyed offer some form of password training or have policies in place to encourage best practices, said WatchGuard. This includes requiring employees to use long, complex passwords and change them periodically. But SMB executives still believe their employees regularly engage in poor password practices. Nearly half (47 percent) believe their employees use simple or weak pass- words, about a third believe employ- ees reuse business passwords for personal applications (31 percent) or that employees share passwords (20 percent). Only 18 percent believe their employees have no questionable password security behaviors. So, what’s keeping small and mid- market businesses from deploying MFA? Generally, “traditional MFA solutions are often difficult for businesses to imple- ment and manage, especially those with limited IT resources,” said the Watch- Guard study. Indeed, 61 percent of SMBs feel MFA solutions are designed for large companies. About a quarter of respondents said MFA is either too dif- ficult to maintain and support, too com- plex to implement or too expensive. The good is, SMB IT decision- makers are looking at MFA, despite the barriers. Of companies surveyed by WatchGuard that don’t have MFA, 83 percent are interested in using it, and 65 percent have plans to purchase in the future. What’s more, “nearly all respondents agree that a technology solution is needed to augment pass- words,” said WatchGuard. If nothing else, SMBs clearly are beginning to understand that modern MFA is no longer an optional precau- tion, said WatchGuard analysts, “it is a business requirement.” o MFA for SMBs By Martin Vilaboy Types of MFA Currently in Use Among SMB Adopters Use cloud-based authentication servers 61% Use desktop authenticators 56% Use SMS 47% Use mobile tokens 44% Don’t know the type 40% Source: WatchGuard Source: CPAnalytics; Capital IQ; McKinsey analysis 4 Percentage point. What is your biggest pain point about employees and their passwords? Source: WatchGuard Percentage of IT Budget vs. Personnel that Support Security Operations Source: Ponemon Institute 40% 35% 30% 25% 20% 15% 10% 5% 0% 36.0% 36.3% 37.1% 11.6% 12.1% 13.0% Percentage of IT personnel that support IT ecurity operations Percentage of IT budget dedicated to IT security activities FY2017 FY2018 FY2019 Employee passwords being stolen or compromised Employees using weak paswords Time spent resetting paswords Changing passwords when an employee leaves his job Employee adoption of best practices 68% 68% 67% 68% 58% 60% 46% 46% 38% 36% 0% 10% 20% 30% 40% 50% 60% 70% 80% FY2018 FY2019 16 CHANNEL VISION | January - February, 2020