Volume of business passwords overwhelming

SecureData, a member of the JSE-listed ERP.com Group and the distributor for RSA Security products in Sub-Saharan Africa, today announced the results of the latter's second annual password management survey, which polled businesses on issues pertaining to password management. More than 1 300 business professionals participated in this global study, which confirmed that the burden of multiple passwords continues to pose significant security risks, and encourages end-user behaviour that endangers compliance initiatives.

"While companies pour huge amounts of time and money into protecting sensitive information, business passwords remain one of the weakest links in the security chain, in large part due to the sheer number of passwords that end users are required to manage," commented John Worrall, senior VP of marketing at RSA Security. "Little has changed since 2005 - end-users are still managing an overwhelming number of passwords, and this is resulting in behaviours which open the door to security breaches and potential compliance issues."

RSA Security's survey polled respondents with jobs related to corporate password management on a number of issues related to compliance and overall IT security. Of note, 57% say their company's desire to avoid end-user frustration prevents the organisation from requiring frequent password changes and/or strong password policies. In addition:

* Passwords in the era of compliance: Most companies surveyed view password management as fundamental to compliance. 59% said password management is 'extremely important' to compliance. Regionally, 66% of U.S. participants responded with 'extremely important', whilst 48% of Europeans answered the same.
* Passwords and IT security: RSA Security's survey revealed that organisations are very concerned about the impact of passwords on IT security. Forty-one percent called passwords 'extremely concerning'; 44% said 'moderately concerning'
* Passwords and IT security breaches: Twenty-six percent of respondents know of a corporate security breach that has occurred due to a compromised password. Those in the Asia-Pacific region were most aware (35%), whilst those in the US were the least aware (14%). Examples of breaches resulting from compromised passwords included:
* Former employees accessing business accounts using their own passwords
* A terminated employee guessing a former manager's password to gain remote access
* An employee altering a co-worker's private human resources information.

Trek to the summit

00Days

:

00Hrs

:

00Min

:

00Sec

RSA Security's survey shows end users are overwhelmed by the number of passwords necessary to access business applications, Web sites and portals. This, in turn, is leading to risky behaviours:

* Passwords required versus passwords remembered: Eighteen percent more than 15 passwords, but only 5% can easily remember that many. Thirty-six percent manage between six and 15 passwords. Responses were similar to 2005, when 35% said they manage between six and 15 passwords and 23% said more than 15.
* Continued frustration with managing passwords: The majority (82%) of end-users are frustrated with managing passwords at work. Globally, 12% find it 'extremely frustrating - in the US, 15% answered in this manner, whilst only 9% did so in Europe. Last year, 88% reported some degree of frustration.

RSA Security's survey shows that password policies and end-user behaviours vary dramatically:

* Password Change Requirements: Thirty-nine percent of respondents in the Asia-Pacific region and 34% in Europe are required to change passwords monthly; only 23% of US respondents are required to change passwords with the same frequency.
* Strong password policies: Most organisations enforce strong password policies, according to survey respondents. Specifically, 70% say their company requires passwords between eight and 14 characters, using a combination of letters, numbers and symbols. However, 17% said their company has no password requirements. In addition, 48% say their company does not allow the re-use of old passwords.
* Unsafe Password Tracking Practices: Most respondents with jobs related to corporate password management know of employees tracking passwords in an unsafe manner:
* 66% have seen employees keep paper password records at work, but only 13% of end users admit doing so (down from 15% last year)
* 58% are aware of employees keeping electronic password records (eg, in a spreadsheet), though only 24% of end users say they keep electronic records themselves
* 55% know of employees tracking passwords in a PDA or handheld device
* 40% have seen employees track passwords with Post-It notes or other scraps of paper affixed to their computer.

RSA Security's survey shows that password-related support requests add significant workload to the IT help desk. One-fifth of respondents say that password-related calls constitute 26% to 50% of help desk requests; one-third says that between 11% to 25% of help desk calls are password-related. Generally, larger companies are more burdened by password-related help desk calls than smaller organisations.

RSA Security's survey also asked respondents whether it would be helpful to have a 'master password', replacing all other passwords at work. Fifty-six percent of those surveyed said a master password would be 'extremely helpful'. However, the vast majority - 81% - also believes that it would be 'extremely important' to provide an added layer of protection for a master password. This is a significant increase from 2005, when 55% of respondents said an added layer of protection would be 'very important'.

The RSA Security password management survey was conducted online between 21 August and 25 August 2006. The study polled 1 343 participants from North America, Europe, Latin America and the Asia-Pacific region.

For further information, please contact Andrew Ochse at tel. +27 11 257 8600; fax +27 11 257 8699; e-mail andrewo@securedata.co.za