Almost half of IT users reveal their passwords

31 Oct 2007

An amazing 43pc of IT users reveal their password and more than half do not receive IT security awareness training, a new survey from Deloitte has revealed.

The latest Information Security Awareness survey by Deloitte which sought to gain an understanding of the level of security awareness in professional environments concludes that organisations need to place increased emphasis on IT security awareness training.

It found that 81pc of those surveyed were aware their organisation had a computer usage policy in place, but over half did not receive any IT security awareness training.

Of those that did receive training, 43pc still revealed their passwords.

“This is a worrying trend for organisations as it certainly highlights the need for not only increased IT security awareness training, but also more effective training. Passwords are the key to a wealth of information stored on a company’s network,” explained Colm McDonnell, partner in charge of enterprise risk services at Deloitte.

“Many respondents not only divulged their computer password but also their own name and the name of the organisation they work for.

With this information it is possible to hack into areas assigned to the individual and also into more sensitive areas of a company’s network,” McDonnell added.

The Deloitte survey also revealed how people chose their password. Some 41pc chose a familiar name like their own name, a pet animal or a close relative.

However, 84pc use a mix of words, numbers and characters and 85pc change their passwords on a regular basis — or at least when prompted.

On a monthly basis 61pc change their passwords using the same password but with a slight variation, but Deloitte warns that this increases the risk of forced hacking attacks and other breaches.

“Every member of an organisation needs to understand their role in safeguarding the company’s data,” McDonnell explained. “The lack of security awareness that this survey shows, coupled with the increasing sophistication of threats posed means that companies must continually invest in improving their posture through the use of security technologies available and additional security training.

“Usernames and passwords are no longer sufficient — two-factor authentication is the very minimum required now,” McDonnell added.

As a guideline, a strong password should be more than 6-8 characters long, combining letters, words and symbols and users should avoid using familiar names and easy to guess passwords. Users should also avoid dictionary words and avoid using chronological sequences of numbers (for example, 12345).

By John Kennedy