With the average enterprise organisation using 288 different cloud applications, individual users simply have too many credentials to remember, and resort to poor security practices as a result. Passwords which are weak and easy to remember, reused, or written down create cyber security risk, with compromised credentials being the most common cause of successful cyberattacks in 2021. A password manager is a potential solution to mitigate these risks and the threat of a data breach, however, not all password managers are equal.
Some organisations may encourage, perhaps even roll out, personal password managers (PPMs) for their employees, considering them to be a quick, cost-effective security upgrade, requiring little overheads beyond a license fee and basic user training. Password managers are a force for good, so why would it be a problem?
Indeed, personal password managers seek to solve many of the issues inherent to password-based authentication in a modern environment which utilises a large number of cloud applications. Since credentials no longer need to be memorised by users, stronger passwords which are resistant to brute force attacks can be used by employees. Personal password managers can also help users remove the problem of password reuse and negate the need to write credentials down, solving many of the problems associated with password-based authentication. As a result, some organisations wrongly consider them a valid option to protect their data.
Notwithstanding some perceived benefits of personal password managers, they are wholly unfit for business. There is a clear distinction between password managers intended for personal use, and those designed for businesses, with the former not only lacking many of the features required to ensure corporate data is adequately protected, but also exposing the business to increased risk. Here are some of the main limitations of PPMs, and why they pose significant cyber security risks when used in workplaces.
Since personal password managers are designed for individual users to create and manage passwords, the business is not in control, and ultimately does not have ownership of the passwords used to access its own applications and corporate data. While the organisation may request that a corporate email account be used for registration, the individual remains in control and can still easily switch to a personal email address. Ultimately, personal password managers put employees in control of what should be corporate owned applications and data.
Since PPMs are, by definition, designed for individual users, they typically lack the ability for businesses to enforce their use from a top-down perspective. A reliance on voluntary adoption often means that they may not be used by employees due to user friction or simply due to a required change in behaviour. More concerning is users choosing to use the PPM, but doing so in an insecure manner, by using a weak or reused master password for example, exposing the organisation to increased risk. PPMs do not enable the business to control user access or enforce security policies, and ultimately, they fail to address the risk from insecure end-user behaviour.
Password managers designed for personal use lack the ability to centralise and automate the provisioning and deprovisioning of users. When onboarding users, the process can become arduous and time-consuming, but the potential ramifications are far more impactful when users leave the organisation and have a vault of corporate applications within their ownership that only they know how to access.
The retention of privileged access by former employees can be a significant cause of data breaches, but ex-employees themselves can also pose a threat. As well as the potential for malicious activity if the relationship between employer and employee becomes strained, there can also be financial and career motivations for accessing data from a former workplace.
According to a Ponemon Institute study, over half of employees surveyed accessed information from their former employer, with 40% stating they intended to use it in their next role. This problem is exacerbated when users are able to view passwords, since they will retain access even without the password manager itself. Even if the former employee has no intent of using the data, it could also be lost when they leave if user activity is not tracked and reported.
Phishing is the most common form of cyberattack, according to the Verizon 2021 Data Breach Investigation Report. While a personal password manager will not autofill credentials into a login form on a phishing site, in practice this can be interpreted by users as an error, and if the passwords are visible to employees, they can simply copy and paste them from their password vault into the form, resulting in the account becoming compromised.
Some departments will require multiple employees to share an individual account, which requires a means to facilitate the secure sharing of account credentials. Since personal password managers are designed for individual users rather than enterprises, they can lack this functionality. As a result, employees are forced to resort to highly insecure methods of sharing passwords, such as sending them in plain text across email or other communication platforms, or by writing them down. Even if the feature is present, it will still fundamentally be controlled by the user, with the business unable to monitor or restrict who the passwords are shared with.
Without full visibility over all applications in use by employees, businesses incur significant extra cyber security risks from corporate data which is processed without the knowledge or oversight of IT departments, also known as Shadow IT. With McAfee estimating that the number of Shadow IT apps is ten times greater than known cloud usage, this can vastly increase the potential attack surface of the network. IT departments cannot enforce additional security technologies and policies across apps they are unaware of, making them far more susceptible to data breaches than known IT usage.
The decentralised, siloed nature of personal password managers mean they lack the centralised control, auditing and reporting functionality needed by organisations, and often required for compliance adherence. Ultimately, the organisation has no way of discovering Shadow IT applications or monitoring and reporting on that access and the corporate data these applications faciliate.
While personal password managers have benefits, these are aimed at end-users, specifically within a personal usage context. In a business setting, none of the benefits they offer in security are able to be enforced, significantly hampering their effectiveness, and their functional limitations actually create, rather than mitigate, cyber risk. Without centralised control, individual users are in a position of ownership of application access and corporate data, and the organisation is increasing its exposure to cyber risk as a consequence.
A business, or Enterprise Password Manager, is specifically designed with organisational objectives at its core, providing the benefits of a password manager within a business context. Enterprise Password Managers are designed to put the business in control of securing application access and corporate data, mitigating risks of retention of app access from ex-employees and enabling security policies to be enforced across the organisation.
An Enterprise Password Manager which enables centralised access management, does not require employees to be responsible for managing their own passwords, requires no change in user behaviour and puts the business firmly in control will ensure a high level of security and user adoption.
Find out the 10 essential features of an Enterprise Password Manager here.