Identity access management firm Osirium conducted a survey of 452 respondents to its IT Security Administrators Survey 2010 and found that, on the whole, companies have less-than-rigorous access policies for security devices. In addition, it appears that IT security administrators from larger organizations are more protective of their login credentials.
Analysis of the global respondents to the survey shows that nearly half of all system administrators use either static passwords, user ID, or a combination of the two for access to security devices. Furthermore, nearly two-thirds (63%) of these administrators wrote down their passwords.
It appears that IT security personnel at larger organizations (5000+ employees) fare better in this area, as 74% of the survey respondents said they do not write down their passwords. On the flip side, 60% of those polled at organizations with 1–100 employees said they jot down their access information.
Osirium also asked these same IT security admins if they share their passwords with colleagues, to which 54% said never, and 46% indicated that they either occasionally or frequently share passwords with co-workers.
Once again, administrators at larger firms held their passwords closer to the vest, as 69% said they never shared this information with co-workers, whereas 49% of admins at smaller organizations said they communicate this information with colleagues either occasionally or all the time.
“Although we knew that many system administrators were not implementing appropriate authentication measures to control access to security devices, we were still surprised by the severity of the problem commented David Guyatt, CEO of Osirium. “It is clear that security practices are often not rigorous enough, mainly due to the fact that overburdened but technically savvy sysadmin teams can very easily circumvent existing security procedures in order to get the job done as quickly and efficiently as they can."