Passwords are the most basic element of any IT security system, yet a study suggests that many organisations are still tripping up at this first security hurdle.
According to research into "password management" by Cyber-Ark Software, a Digital Vaulting firm, about half of IT managers employed in the largest organisations are not very confident that administrative passwords are stored securely. The research also claimed that not much has changed when it comes to securely storing user passwords with IT managers estimating that 19pc of their colleagues still keep their passwords on Post-it notes.
The research was carried out at Infosecurity Europe 2005 – the annual IT security event – to find out how securely companies are storing and managing their administrative and user passwords. It was conducted amongst 175 IT professionals with a quarter coming from organisations employing over 5000 people.
A bare third (32 per cent) were storing passwords digitally. The remainder continued to use manual processes, including paper copies stored everywhere from locked cabinets to physical safes which can hinder efforts for regular and on-demand resetting of passwords.
Considering that administrative passwords are the "keys to the kingdom" and give access to the most confidential information on the network which is often seen as one of the major risk factors that can lead to internal fraud, nearly 10pc of companies never change their mission critical passwords; and 5pc don’t even change the manufacturer’s default password on their systems.
Other findings revealed:
14pc still keep administrative passwords in an excel file – which is known to be insecure.
25pc of IT staff can access administrative passwords without permission.
15pc of large organisations never have their security practices audited.
62pc of companies have now seen an increase in auditing of their security practices due to recent legislation.
14pc have no password change management policy, which means they have no way of controlling who has access to systems
One IT security director who was interviewed for the survey admitted to keeping all the administrative passwords in his mobile phone explaining that he thought this was "a very safe place". His IT security colleague standing within ear-shot replied: "Wait till I tells the guys back in the office, you’ll never live this one down."
What they say
"It would appear from this research that password management is still a major bugbear for many organisations with two thirds who are still relying on the old-fashioned method of physically managing and storing passwords. Because this process can be so time-consuming and laborious IT staff often circumvent the security processes which can then open them up to potential security breaches." said Tom Crawford, president and CEO of Cyber-Ark. "However companies can now simplify the management of administrative passwords by using a digital vault which can securely automate administrative passwords in a cost-effective and efficient way."
Cyber-Ark adds that its Network Vault for Passwords has helped hundreds of organisations including Mohegan Sun and European direct debit processor Voca, which recently transitioned its password management, replacing the physical safes used to store over 800 administrative passwords and redeploying staff dedicated to administering passwords.
"Cyber-Ark has cracked the code for automating a potentially insecure and immensely time-consuming process of storing and managing administrative passwords," said Keith Reeve, Manager Certification Authority and Access Control, Voca. "We’ve replaced physical safes with virtual ones, using Network Vault for Passwords to securely automate administrative passwords critical to the systems that support our business."
Organisations interested in viewing how much they can save by migrating to automated, electronic Vaulting of administrative passwords should visit Cyber-Ark’s Password Vault ROI calculator at:
