451 Research: A New Password Management Report for Security Champions
As the rise of remote and hybrid work increases our reliance on technology, enterprises are facing more security challenges in 2022 than ever before. Even prior to the global transition to a remote workforce, employees working in enterprises typically accessed many different accounts used for matters such as CRM, supply chain, finance, collaboration, email and messaging. The existence of multiple enterprise accounts has opened the door for cyber criminals and inadvertent breaches due to loose password habits.
The research and advisory firm 451 Research, part of S&P Global Market Intelligence, recently commissioned a global study to understand enterprise password management preferences and adoption trends. The study, which polled senior enterprise security decision makers in the United States, United Kingdom, Japan, and Australia, examined the use cases, spending patterns and sentiment of password managers, standards, and adoption. The report serves as an important resource for enterprise security champions who understand that lost or easily compromised passwords across multiple enterprise accounts can be tremendously damaging. As professionals actively seek to further mitigate the risks in today’s interconnected world, results of the survey provide understanding and guidance of current trends.
According to the latest 451 Research Voice of the Enterprise (VoTE) Budgets & Outlook 2021 Report, 86% of enterprises expected to increase their annual security budgets. Almost all (93%) of enterprise respondents said they were maintaining or increasing their password management budgets and a majority (76%) of respondents said password management was deployed or planned to be deployed because of work-from-home concerns.
When asked by 451 Research which personnel were considered the riskiest users, respondents - who themselves come from roles within IT and security - cited third parties and remote personnel. When asked about password policies, 80% said that password policies are sufficient protection for their organization. According to 57% of all respondents, improving end user behavior remains an ongoing effort toward better password management practices.
Less than half (41%) of respondents said they do not audit for password strength or re-use. Over half (56%) of respondents said that password resets / password management make up between 20-60% of all helpdesk requests.
Enterprise applications are increasingly offering multi-factor authentication (MFA), such as OTP (One Time Passwords), email verification codes, SMS, or biometric factors. Almost all (96%) of respondents are familiar with these authenticators, yet over half (55%) still said passwords are ubiquitous. Single-sign-on (SSO) has also made headway with enterprises: 49% of respondents said that 34-66% of their apps and logins were covered by their SSO solution.
Figure 1: Main Reasons for Password Manager Adoption
Overall, 57% of respondents used password management and another 15% said they would be adopting password management. When asked about the main reasons for adopting password managers, efficacy won out over convenience. In the U.S., around half (51%) of respondents cited ‘preventing credential theft/account takeover attacks’ as the top reason for adopting password managers. Globally, the number one priority was ‘anti-fraud’, cited by 51% of respondents (and a rationale that was second-most-popular in the U.S.). Time-saving and reducing help desk calls were of lower priority, both in the U.S. and globally.
According to 58% of respondents, internal non-IT staff had been deployed to or were next to deploy password management - the highest priority, even though third parties and remote personnel are considered a higher risk.
Figure 2: Risky Groups - Deployed Groups for Password Management
Password management usage is relatively strong. But, it could be stronger and more widespread. There are a few strategies for making this possible.
To start, password manager usage should combine personal and business use cases in order to drive adoption. According to the survey, 47% of respondents said that the company should provide tools for employees both at home and at work and 59% would prefer a password management tool for both personal and business passwords.
User experience also matters. While hard security rationales (anti-fraud, preventing credential theft) drive password adoption, respondents selected user experience (29%) and management complexity (36%) as the largest endeavors toward successful password manager deployment. Preventing security incidents should always be a primary driver for password manager deployment, but that doesn’t mean enterprise security decision makers shouldn’t consider improving user experience. A poor end user experience will likely lead to sloppy practices and password re-use.
Enterprises should also ensure risk is commensurate with deployment. The highest risk personnel should have to abide by password management policies. The best way for executing this is to come up with a password management plan that is easy to adopt. Ultimately, successful password manager acceptance among riskier personnel remains critical to filling perceived exposure gaps.
The survey was conducted in conjunction with 451 Research (a division of S&P Global). The firm surveyed 400 professionals in the United States, United Kingdom, Australia, and Japan.
Read the full 451 Research Password Management survey results
Get started today! Interested in getting started with Bitwarden right away? Enable your team with a free trial for a Teams or Enterprise Organization.