According to the 2020 Thales Access Management Index – Europe and Middle East Edition1 – nearly a third (29%) of organisations in Europe and the Middle East still see usernames and passwords as one of the most effective means to protect access to their IT infrastructure, two years after the inventor of the complex static password admitted they don’t work. In fact, 67% of respondents indicate that their organisations plan to expand its use of usernames and passwords in the future. This continued reliance on outdated security comes despite IT leaders revealing it is increasingly easier (48%) to sell the need for security to their boards compared to last year (29%).
Surveying 400 IT decision-makers across Europe and the Middle East, Thales’s new research found that the majority (57%) of IT professionals revealed that unprotected infrastructure is one of the biggest targets for cyber-attacks. Therefore any organization utilising it, as a result of business pressure driving them to adopt digital transformation technologies, are likely to be putting themselves at a higher level of risk.
Solving the Security vs. Convenience Conundrum
With the Covid-19 global pandemic causing many companies to work from home, IT departments are battling to provide employees with both security and convenience. In fact, over two-thirds (67%) of European IT leaders say their security teams feel under pressure to provide convenient access to applications and cloud services for users, but still maintain security – an indication they’re struggling to balance their digital transformation and security priorities. To this end, 96% believe that strong authentication and access management solutions can facilitate secure cloud adoption. Over three-quarters (76%) also revealed employee authentication needs to be able to support secure access to a broad range of services including virtual private networks and cloud applications.
Making small improvements
While some organisations still rely on legacy authentication methods like usernames and passwords, growing awareness of the threats is prompting action with almost all (94%) organizations having changed their security policies around access management in the last 12 months. Staff training on security and access management (47%), increasing spend on access management (43%), and access management becoming a board priority (37%), have all seen an increased focus. This is set to pay off in compliance terms too, with nearly all (98%) European respondents admitting controlling who has access to their company’s data. This will help them meet data regulation requirements like GDPR.
“As more and more businesses move to adopt cloud-based services for CRM, email, employee collaboration and IT infrastructure as part of their digital transformation strategies, the struggle to extend old solutions, designed to protect internal resources, to the outside world becomes very problematic. Often, in an effort to adapt to the new working habits of users connecting from anywhere, which is increasingly pertinent right now and will become standard moving forward, businesses tend to revert back to old password-based logins for cloud services in despair. This is knowingly increasing their security exposure to credential stuffing and phishing attacks,” said Francois Lasnier, Vice President for Access Management solutions at Thales.
Two steps forward, one step back
Looking ahead, some IT leaders are set to potentially use their influence at board level more wisely, with investment in the use of more secure methods such as biometric authentication (75%) and smart SSO (81%) set to increase in the next year. However, a third (67%) still plan to expand their use of usernames and passwords, which is a similar size to those intending to further utilise passwordless authentication methods (70%).
“For a long time, the biggest battle IT leaders have faced is increasing board awareness around taking the threat of security seriously,” Lasnier continued.
“Now that they have that buy in, the focus should be on highlighting the importance access management plays in implementing a zero trust security policy to their executive management. With this in place, risk management professionals will be able to put in place a ‘Protect Everywhere - Trust Nobody’ approach as they expand in the cloud.”