Almost three quarters of UK employees are not changing their work log-in and email passwords enough putting businesses at risk of cyber-attacks, new research by CSS Assure has revealed.
Of those, almost one third admitted to never changing their work passwords or only doing so when prompted, while 1 in 8 employees (12%) said they use the same passwords personally and professionally.
This World Password Day (5 May), CSS Assure has warned employers to protect their businesses against cyber-attacks due to the major financial, reputational and legal damage they can cause.
Those doing manual work (78%), as well as graduates (70%), directors and business owners (77%) are least likely to change their work passwords enough – highlighting the importance of education at all levels.
One in five directors and business owners (21%) admitted to reusing passwords across multiple accounts, while a quarter of senior managers (25%) said they write their passwords down in a notebook or on a mobile application.
Worryingly, despite infrequent password updates and reusing passwords across multiple sites, 74% of respondents claim to be cyber security aware.
Mike Wills, director of strategy and policy at cyber and data security firm CSS Assure, said: “Cyber criminality is here to stay and is an increasing plague on society – causing untold damage, while fuelling and funding international crime and global terrorism.
“No business is immune from cyber-attacks, and it is vital companies make themselves as hard to hack as possible. At a minimum, businesses should encourage and remind their employees to change their passwords at least once every three months as this will stop or prevent access to accounts if data has been breached.
“While this may seem like a faff, doing so is the single greatest defence a business can take towards protecting itself against a cyber attack. Currently, there are millions of emails and passwords for sale on the dark web for miniscule amounts, waiting for cyber criminals to purchase.
“Using the same password across multiple accounts or both personally and professionally is a major weak link in a company’s security system. If one site is breached and an employee’s credentials are exposed, their risk is amplified exponentially if they use that same password elsewhere.”
“Poor password management is a root cause for many data breaches. However, it’s important to remember that the habit can often be attributed to poor personal discipline, as opposed to malicious intent by your employees.
“Typically, people are unaware they are putting their company at risk, which can be shown by almost three quarters of those surveyed believing they are cyber security aware – even though they are making mistakes that can have dangerous consequences.
“Employers must create a hard to hack company culture that is trained on recognising threats and attacks. Begin by educating all levels of the workforce on why and how poor practices can lead to data breaches, as well as encourage them into good habits, including changing their passwords regularly – starting with today.”
