Password Apathy

Morgan O'Rourke


December 1, 2011

Despite almost constant reports of data breaches and hacking incidents, many organizations are still not taking even the most basic measures to protect their organization's data. In fact, the password practices in some companies may actually be putting them at greater risk. According to a password security report by Lieberman Software, 48% of the more than 300 IT professionals surveyed have worked for organizations that have experienced a data breach.

But even with such first-hand experience, 42% said that two or more IT staff actually share passwords to access systems or applications in their organizations, 48% allow passwords to privileged accounts (those that contain high-level permission to access files, install programs, and change configuration settings) to remain unchanged for 90 days or more, and 25% admitted that their privileged account passwords were less complex than normal user logins.

Such practices make it easier for hackers -- and employees -- to gain access to sensitive data. For instance, 26% said that at least one IT staff member in their organization has abused privileged logins to access unauthorized information. This absence of fundamental data protection measures may point to a developing sense of apathy regarding data security, even among those who are tasked with maintaining it.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)