via Help Net Security
Password resets could unnecessarily cost FTSE 100 businesses over $156 million every month, according to MyCena Security Solutions.
This raises the question of the necessity of password resets, at a time when organizations must identify cost savings to survive the economic downturn. Adding zero value to businesses, reducing employee productivity and carrying an astronomical price tag, could the pest of password resets be totally scrapped?
There is an opportunity for businesses to learn how to eradicate password resets from their processes to improve both their security and bottom line.
It starts with recognizing that password resets only occur because employees make their own passwords to access systems and data. This is akin to employees making their own keys to enter buildings or factories. Indeed, in the digital world, employees are the gatekeepers. They generate and hold the keys to the kingdom, not the employers, who have lost control of their access keys.
And password resets are a mere symptom of employees holding those keys. With hundreds of keys to the house, employees forget what those passwords are, resulting in password resets skyrocketing.
Employees resetting passwords
There are currently almost four million employees within the FTSE 100 companies, and research reveals 56% of employees reset their passwords at least once every month in 2022. If you set that figure alongside data, which says that the average cost of a password reset to businesses is $70, this reveals the true cost of password resets on businesses. For the FTSE 100 alone, these figures exceed $156 million every month, or $1.7 billion annually.
“Password resets bring significant costs to businesses which can be totally avoided. They are a mere symptom of having employees control the keys to the house. If businesses revert to controlling their own access and passwords, there would be no password to remember or forget, and therefore, no need for password resets at all. Just as there is no need to constantly change the door locks in their offices, factories or plants,” said Julia O’Toole, CEO of MyCena Security Solutions.
“When employees know the passwords, businesses are vulnerable to employees getting their passwords phished, which is the leading cause of breaches. Removing passwords from users’ knowledge eradicates the cost of password resets while significantly strengthening security. This minimises any further cost associated with any data breach, such as GDPR fines which can cost up to 4% of annual turnover for failing to control access keys,” O’Toole continued.
Security companies promote single access solutions such as passwordless, single sign-on, privileged account management, zero trust and biometrics. But it’s an old misconception they can improve security. On the contrary, single access impedes security by reducing cyber-resilience.
Employees are still the gatekeepers who make and control access keys. Except that instead of making fifty keys to open fifty doors, the employee makes just one key that opens fifty doors. Now the attacker only needs to find that key, escalate privilege and access the entire corporate network.
Biometrics present an even greater risk as, on top of being a single point of failure, peoples’ voices and faces are not secret. Emerging AI tools can use videos, photos and recordings to replicate them, and once stolen, biometrics can never be changed.
Tackling password reset cost
To tackle password reset issues and costs, businesses can simply revert to controlling their access keys and remove passwords from employees’ knowledge.
To that effect, organizations can use access segmentation and encryption management solutions, to generate strong random passwords for all systems and distribute them encrypted to employees, so that no one ever knows them. This means employees are no longer a security threat.
When employees don’t know their employer’s passwords, they can’t lose them, forget them, or hand them over in phishing scams. This provides a genuine remedy to the security issues associated with passwords and at the same time, removes costly password resets entirely from the business. Using such solutions would represent cost savings of over $300 million per year for the FTSE 100 companies alone.
“People should stop using World Password Day to promote regular password changes and single access tools. These are remnants of an old belief that people need to know their passwords, which is untrue and undermines security. Passwords are just keys. They don’t need to be created or known by humans. Just as no one needs to know or cut out the grooves of their keys to go home. They just need to be able to safely use them. Instead, World Password Day should be used by organizations to raise awareness of the need to control their own access keys, review their password reset records, and regain access control where it has been lost,” added O’Toole.
“The only way for organizations to eliminate those hefty passwords reset costs is by taking back control of their access and passwords. If organizations in the FTSE 100 started doing this, their security would improve, their password reset costs would be completely eradicated and millions would be added their bottom line. It’s time to take action,” O’Toole concluded.