Survey of Cybersecurity Professionals Shows That Many Don’t Practice What They Preach

This past June at the 2018 InfoSecurity Conference in London, cybersecurity firm Lastline conducted a survey of 306 information security professionals about their feelings on a range of security concerns. The most surprising analytical tidbit has to be that 45% of the security professionals in the survey reuse passwords across multiple accounts.

Bad Password

BeeBright / IStock / Getty Images Plus / Getty Images

As the threat landscape has changed over the last decade, the mantra of “do not reuse passwords” has become a central tenet of basic cyberhygiene practice. It’s not difficult to understand why, given the evolution of data breaches and the ease with which cybercriminals can sell or purchase stolen credentials on the Dark Web. In fact, hackers bank on at least some part of the population not bothering to use different passwords.

This point is driven home by Andy Norton, the director of threat intelligence at Lastline: “Breaches are a fact of life for both businesses and individuals now, and reusing passwords across multiple accounts makes it much easier for malicious actors to compromise additional accounts, including access to corporate data, to steal confidential or personal information. The attendees at Infosecurity Europe should be significantly more aware of these issues than the average consumer.

Matthew Hughes, writing for The Next Web does provide a caveat for this, stating that the survey results don’t provide “a clear breakdown of response by job title. That’s important because Infosecurity Conference has a really corporate-y feel. Walking around, you see more managerial types and C-Suite gremlins than actual frontline security folks.”

Hughes reached out to Tom Gaffney, the principal consultant with F-Secure for some context. According to Gaffney, he finds all sorts of basic cyberhygiene problems when out consulting, such as discovering IT administrators using default passwords for their infrastructure.

If any of this sounds a little close to home for you or your company’s employees, it might be time to revisit the basics of your cybersecurity policy and dust off those training materials.