James Thew - Fotolia

UK firms’ password security score ‘average’

While businesses are making strides in strengthening password security, there is more work to be done, with the UK password score lagging behind the frontrunners, a survey shows

The average password security score of UK organisations is 52 out of 100, according to LastPass’s 2018 Global password security report.

The data is based on analysis of anonymised data from 43,000 firms using LastPass as their business password manager. LastPass, which was acquired by LogMeIn in 2015, draws a precise picture of password management for the business IT community.

Although a score of 52 is fair, the report said it shows a need for more effective policies and training, so that organisations can exceed the benchmark.

An average global security score of 52 also means that most businesses still have work to do in overcoming weak, reused, old and potentially compromised credentials, the report said.

The UK’s average security score matched that of France and Belgium, but is below the leading country, Germany, which had an average score of 56, followed by the Netherlands with 55 and Switzerland and Sweden, each with 54.

Trailing the UK are Italy and Canada, which both scored 51, and the US, Spain, Denmark, Australia and New Zealand, each of which had an average score of 49. 

“Security professionals often fail to consider the value of the first factor of enterprise authentication – the password,” said Frank Dickson, research vice-president, security products at IDC.

“Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up.”

According to Dickson, a security benchmark such as the one provided by the LastPass report will help enterprises quantify their password risk, see how they compare with enterprises of similar size, and gauge the effectiveness of their enterprise password management deployment.

The report showed that the technology industry is leading the pack in password security, with the highest average security score of 53. That finding is not surprising, the researchers said, in view of the privacy and data laws with which most must comply.

However, the report said it is surprising that heavily regulated industries such as banking, health, insurance and government are not achieving comparable or better average security scores, with banking, health and government scoring an average of 49, followed by retail (48) and insurance (47).

Read more about two-factor authentication

Multifactor authentication (MFA) is gaining popularity, the report showed, with 45% of businesses analysed using MFA. Once again, the tech sector leads the pack with 31% adopting MFA, followed by banking (16%) and retail (13%). By contrast, only 3% of organisations in the health and insurance sectors are using MFA, and this figure drops to 2% in the public sector.

The report showed that the bigger the company, the lower the average security score. Organisations with fewer than 25 employees had the highest average security score of 50, and the average drops as company size increases.

More employees bring more passwords and unsanctioned apps, as well as extra opportunities for dangerous password behaviours, the report said, highlighing the fact that in larger organisations, it is more challenging for IT to hold all employees to password security standards.

However, investing in an enterprise password management tool is helping to improve the situation, the report said, with businesses typically gaining nearly 15 security points within the first year of investing in such a tool.

Password sharing is prevalent in the workplace, the report revealed, and, on average, any given employee now shares six passwords with co-workers. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more important than ever, the report said.

“Passwords continue to be a challenge to cyber security in the workplace, and attacks continue to grow in number and complexity every year,” said Gerald Beuchelt, chief information security officer at LogMeIn. “Despite these threats, businesses have struggled to quantify their own level of password risk.

“This report offers fellow information security managers a tool to compare their own company’s password scores with a large sample of peers and competitors. In turn, security departments are now better equipped to identify the gaps in their security programme and measure progress when investing in password security.”

Read more on Hackers and cybercrime prevention