A smartphone with a security symbol in green
Getty Images

IT professionals are showing “risky” practices when it comes to security

Even internet professionals aren't following the best practices for password and authentication security.

Like GearBrain on Facebook

Even internet professionals aren't following the best practices for password and authentication security.

As hacking grows more sophisticated, with better phishing methods, for example, most rely on security experts to lead the way. But a new report from Yubico finds that even IT professionals aren't taking every step they can to locking down security — and in some cases are taking fewer steps than individual users.

"IT professionals, they answer to a few stakeholders, some C-level executives and to the end user and they are pulled in two different directions," said Jerrod Chong, Yubico's chief solution officer to GearBrain. "The executive says, 'Don't make it difficult for my users.' And users say, 'I know others have been affected but not me.' So they are stuck in the middle."

The report, "2020 State of Password and and Authentication security Behaviors," was run by the Ponemon Institute, and surveyed 2,507 IT and IT security people, along with another 563 users.

In the report, researchers took a heavy look at the responses from both companies and individuals, including what people and firms did after they'd been victimized by an attack. Of the 35 percent of users who'd had their account taken over, 76 percent changed their passwords or took other steps to protect their accounts. Of the 20 percent of IT people who had the same experience, just 65 percent took steps to further secure their accounts.

Secure access granted by valid fingerprint scan, cyber security on internet with biometrics authentication technology on mobile phone screen, person holding smartphone connected with wifiCompanies want to add security, but in a way that doesn't inconvenience customers Getty Images/iStockphoto

Yubico makes security keys that sign on to accounts only when the physical key is present — and are a way to secure accounts beyond using traditional passwords or even two-factor authentication or 2FA. This step is typically a second code, sent via email or text, and then has to be entered as well before someone can gain access to their own account.

Security keys, however, are still not a standard option for most users, particularly as there's an additional cost associated with them. While individual security keys may only clock in at around $50 — entering a password, or even a 2FA code, into an online field is free.

NORTON CORE by Symantec Model 517 High Performance Secure Wi-Fi Wireless Router Built-in Network, Device and Antivirus Security, Smart Parental Controls - Titanium Gold


However, passwords are a cumbersome way of securing devices as they need, ideally, to be unique and also either remembered or stored somewhere they can be easily accessed. It's not surprising that many people reuse passwords, even though most security people point to this as one of the worst practices.

But here too IT professionals stumbled more than regular users with 50 percent re-using passwords on workplace accounts, compared to just 39 percent of regular users.

A full quarter of IT professionals noted they would not use 2FA either, for their customers, with 60 percent believing single usernames and passwords were enough. Concern that users would find 2FA not convenient was one reason 47 percent cited.

But that may not be the experience consumers feel. Researchers found that just 23 percent of individuals found 2FA options like SMS and mobile authentication "very inconvenient," they wrote.

"People think they have to sacrifice usability for security and I think that's a common mistake to make," said Chong. "I think technology has come to a point where you can be both."

A YubiKey being put into a smartphoneYubico makes security keys that allow users to access accounts only when the physical key is present Yubico

Ultimately, in the survey, most IT professionals, 55 percent, would prefer a way to lock down accounts that don't require passwords. Other methods they preferred were biometric options like an iris scan or a fingerprint reader, or a hardware option like a token or a security key, which Yubico, of course, sells.

Whatever choice they make, Yubico's Chong notes that trust between companies and users is crucial. As more businesses do look to add additional security measures, whether that's a security key or not, those who have lagged are going to be in a precarious position with their customers. Users, according to the report, are growing in their understanding of the need to secure their personal information and data — and companies that don't mirror customers' own concerns may find themselves at a competitive disadvantage.

"Cyber attacks are definitely on the rise, and the probability of not getting breached is very low," he said. "Customer satisfaction is huge, and if everyone says you really need to turn this on, I don't think any company wants to be last."

Bitdefender BOX 2 (Latest Version) - Complete Home Network Protection for Your WiFi, Computers, Mobile/Smart Devices and More, Including Alexa and Google Assistant Integration - Plugs Into Your Router

Like GearBrain on Facebook
The Conversation (0)

GearBrain Compatibility Find Engine

A pioneering recommendation platform where you can research, discover, buy, and learn how to connect and optimize smart devices.

Join our community! Ask and answer questions about smart devices and save yours in My Gear.

Top Stories

Weekly Deals