IT Not Protecting Passwords

DEDHAM, Mass. -- Cyber-Ark Software, the information security software company that develops and markets digital vaults for securing and managing highly-sensitive information within and across global enterprise networks, has announced the results of their annual survey which illuminates the industry-wide struggle to safely and easily share and manage administrative passwords.

The survey shows that the majority of IT professionals mismanage the storage of passwords by keeping them in inaccessible or unsecured locations. This can create serious security bottlenecks and stifle business continuity. In the event that the keeper of critical administrative passwords is unavailable or loses the location of the passwords – it can cause massive disruption and hours of lost productivity.

A quarter admit that their IT staff can access the administrative passwords without permission, which is a serious oversight considering it is these very passwords that are the most powerful and critical of all passwords, over-riding all the others and enabling the “administrator” to access the network, systems and the very applications which provide the backbone of enterprises worldwide.

The survey of nearly 200 information technology (IT) security professionals, revealed:

* 28% of survey participants keep their administrative passwords in their heads and 38% still resort to writing down their passwords and storing them on paper!

* Less than a third (32 percent) are storing administrative passwords digitally. The remainder continue to use labor-intensive, manual processes, including paper copies stored everywhere from locked cabinets to physical safes.

* 22% of respondents estimate that their colleagues are still keeping passwords on Post-It Notes while 14 percent use unsecured Excel spreadsheet files – making it relatively easy for an infiltrator to access the administrative passwords.

* Only 40% of all security professionals change administrative passwords monthly or more frequently; 30% change them quarterly and a staggering 15% NEVER change IT administrative passwords.

* One in five companies have seen an increase in auditing of their security practices due to recent legislation.

* 33% admitted they don’t change their critical passwords as often as their policy suggests.

One interesting statistic that came out of the survey was the positive impact that recent legislation and standards to tighten up on security such as Sarbanes Oxley and PCi has had on the IT department. A surprisingly high number (81%) felt that these rules and regulations had been “very positive”, giving them the impetus to update and upgrade systems in order for their IT departments to “fall into line”.

Calum Macleod European Director of Cyber-Ark said “One of the major issues is that sharing IDs is directly prohibited by IT security guidelines and different regulations. In addition the security situation couldn’t be much worse—the most powerful IDs have shared passwords that are infrequently changed. Operationally, the problems are also severe. Change control and system stability are predicated on a process to control when changes can occur and when this is not controlled every organization is seriously exposed. "

Already, Cyber-Ark says, Network Vault for Passwords has helped scores of organizations secure and dramatically simplify the management of administrative passwords, including some of the world's largest financial services firms, insurance companies, government agencies, telecommunications providers, gaming enterprises and energy companies. This includes one of Europe’s largest Telecom’s Network and System Integration Company, Belgacom NSI, which recently took on Cyber-Ark’s Network Vault and Central Password Manager to store and manage their administrative passwords, with encryption, error tolerance and passwords that are generated in a completely random manner.

Cyber-Ark Software Ltd.