According to its Password 2011 study into password usage, the privileged identity management specialist says that 48% of IT security professionals surveyed have worked for organizations whose network has been breached by a hacker.
The survey – which took in responses from 300 ITsec professionals at a recent event – found that 51% of respondents had ten or more passwords to remember for use in their work, with 42% reporting that their organizations IT staff are sharing passwords or access to systems or applications.
Against this backdrop, researchers also found that 26% of the ITsec professionals said they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information.
Interestingly, 48% of respondents said they work at firms that are still not changing their privileged passwords within 90 days – some that Lieberman Software claimed are in violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations
The firm added that, if almost 50% of all passwords remain unchanged, as this survey discovered, then fundamental and basic IT security practices are being ignored by staff and their senior management. Misuse of passwords, said the firm, is major reason for data leakage.
Philip Lieberman, the firm's president, said that the results of the survey shows that despite the huge number of frequent data breaches, over the past twelve months senior management in many organisations have not yet grasped the fundamentals of IT security.
“In fact they are actively paving the way for more and bigger disasters. Password anarchy among the IT staff at major organisations is mirrored by password apathy at the top of the management hierarchy, where senior management seem almost criminally lax in the enforcement of IT security policies – to the detriment of their organizations”, he said.
“These fundamentally careless practices and procedures revealed by the IT departments of the organizations we surveyed could cost them dearly in the coming months. We have consistently said that basic security includes locking down access to systems containing sensitive data to minimize the insider threat. However, only months after the Sony, RSA Security and Comodo hacks the situation within major organizations remains at risk”, he added.
Lieberman advised that senior management will have to pay far more attention to their basic security practices or be forced to apologize to their shareholders and customers for major data losses and subsequent damage to brand loyalty.
“The simple, unpalatable truth is that senior management generally is not policing their IT security departments enough to avoid further massive data breaches”, he said.