Here’s an interesting concept. We are always talking about how we need to be diligent about educating our employees about cybersecurity best practices and technology, but we need to take that a step further and also be innovative when it comes to our processes, policies, and mandates. One new report digs in, and discovers cybersecurity isn’t just about the people and the technology, but it is also about the process and policy. We can’t have one without the others. In fact, we need it all to build a strong cybersecurity foundation.

Yubico’s second annual State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute, surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.

The findings are interesting, although not surprising. The report shows IT security practitioners and individuals are both engaging in risky password and authentication practices, but expectation and reality are often misaligned. Basically, the tools and processes that organizations put in place are not widely adopted by employees or customers.

My interview with Jerrod Chong, chief solutions officer at Yubico echoes this comment. Chong says, “Data shows that there’s still work to be done essentially.”…“I think, there’s sort of a good side, and not a good side, right? If you look at the good side (it) is that the awareness is higher, which means that you start to see that awareness between IT professionals and their users … they’re getting it. It’s not skewed to one versus the other.”

Still he says there is a big gap that we haven’t really solved yet. Let’s look at some of the numbers. Roughly 51% of IT security respondents say their organizations experienced a phishing attack, with another 12% saying their organization experienced credential theft and 8% saying it was a man-in-the-middle attack. But here’s the real kicker. Only 53% say their organizations have changed how passwords or protected corporate accounts were managed.

Here are some interesting points from the report and my key takeaways and tips.

• Don’t reuse passwords! Individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.
• Protect information on mobile devices! With mobile use on the rise, 62% of IT security professionals say their organizations don’t take necessary steps to protect information on mobile phones. What’s more, 51% use their personal mobile device to access work-related items and of these 56% don’t use two-factor authentication.
• Don’t share passwords! Roughly 49% of IT security and 51% of individuals share passwords with colleagues to access business accounts.
• Understand how to protect your customer information! Roughly 59% of IT security respondents say customer accounts have been subject to takeover. Still, 25% say they have no plans to adopt two-factor authentication for customers.

Chong admits we still haven’t solved the threat problem and that the takeaway right now is that people are aware. “The big challenge that we have as an industry right now is a people problem, right?”

Another part of the challenge here is there still aren’t great ways to manage passwords. The report shows 59% of IT security respondents rely on human memory to manage passwords, while 42% say sticky notes are used. Only 31% of IT security respondents use a password manager.

This has to change. Let’s look at what needs to happen next. 49% of individuals would like to improve security, but 56% will only adopt new technologies that are easy to use and improve account security. Think: biometrics, security keys, and password-free login. Basically, IT security respondents would like a way to login that doesn’t involve passwords.

Chong also points out that we need innovation—not just in the technology, but in the way people are thinking about it and in the actual policies that have to be updated and innovated. For example, how can we achieve the same set of compliance with a new set of technology?

This is the first step to improving security in our businesses. We need to have an easy and safe way to manage our passwords. We also need to consider how to evolve our people, processes, and policies.

Chong explains: “What are the processes and policies and mandates that have to change, and then what are the human behavior that we need to adjust? … So I think this just calls to action that this problem is so big that no one thing can just solve everything and we need to work as an industry …”

As I have reported before, it requires more than just innovation, but determination as an industry.

Want to tweet about this article? Use hashtags #construction #IoT #infrastructure #AI #artificialintelligence #machinelearning #bigdata #digitaltransformation #cybersecurity #blockchain #5G #futureofwork #sustainability #password