Person logging into something

Organizations recognize the cybersecurity risks posed by their end-users, so they invest in security and awareness training programs to help improve security and mitigate risks. However, cybersecurity training has its limitations, especially when it comes to changing end-users' behavior around passwords.

Despite being educated on best practices, end-users prioritize convenience and efficiency over security. They’re not setting out to cause risk – they simply want to get their work done quickly without the hassle of remembering multiple complex passwords. There's a prevailing attitude of "it won't be me" when it comes to cybersecurity breaches.

While security training can help create a culture of cybersecurity awareness, it can't be relied upon to consistently change behavior.

We’ll walk through the limitations of training and suggest five ways you can bolster it with technology to enforce stronger password security.

Where training falls short

According to LastPass research, 79% of people who received cybersecurity training found it helpful. However, only 31% of those individuals reported that they had stopped reusing passwords.

This indicates that while training may provide valuable knowledge, it does not always translate into immediate behavioral changes. It’s either not sticking, or end users are disregarding what they’ve learned in favor of speed and convenience.

This behavior is often driven by wanting to minimize the hassle of remembering multiple complex passwords.

It’s understandable. After the explosion in SaaS adoption, an average organization uses over, 130 SaaS applications and the average employee must manage around 100 passwords.

Even with the best intentions, employees may still forget or neglect to follow password security guidelines. Time constraints, forgetfulness, and the lack of personalized guidance can all hinder the effectiveness of training programs.

This adds up to mean that while cybersecurity training is valuable in building awareness and knowledge about password security, it has limitations in changing risky user behavior like password reuse.

Why is password reuse so problematic?

Bitwarden research found that 84% of internet users admit to reusing passwords, which should set alarm bells ringing for IT teams. When individuals reuse work passwords on personal websites and applications, a breach outside of your organization could provide an easy pathway for attackers to infiltrate your workplace.

This undermines your organization's efforts to protect sensitive data and systems, as you can be compromised by a weak outside link.

Consider a scenario where attackers get their hands on a database of passwords from an external website or SaaS application with weak security. The passwords might be hashed, but attackers have time to try and crack them, then figure out who people are and where they work.

If victims have been reusing their work passwords, this could give attackers an easy route into their organization. 

Password reuse is a particularly difficult problem for organizations to solve through training, as they’re trying to influence outside-of-work behaviors. It’s an issue that requires help from technology.

Six ways to support training with the right technology

By combining training efforts with technology, organizations can create a more robust defense against risky password behavior. Here are six ways we’d recommend you augment your cybersecurity training efforts.

  1. Run a password audit: Auditing your Active Directory can give you a snapshot view of any password-related vulnerabilities that need addressing. This allows IT teams to proactively address any vulnerabilities and prompt users to change their passwords if necessary. Interested in auditing? Download a free, read-only tool and scan your Active Directory today.
  1. Block weak passwords: Setting up an effective password policy can block common passwords, keyboard walks, and even custom dictionaries specific to your organization's industry. By preventing the use of weak passwords, organizations can significantly reduce the risk of brute-force attacks and unauthorized access.
  1. Scan for compromised passwords: Even strong passwords can become compromised, so it’s important to scan for breached passwords as well as blocking weak ones from being created in the first place. By quickly notifying users and prompting them to change their passwords, organizations can mitigate the risk of attackers using compromised passwords to gain unauthorized access.
  1. Password managers: Password managers are tools that securely store and generate unique passwords for different accounts. By encouraging employees to use password managers, organizations can eliminate the need for individuals to remember multiple complex passwords. However, keep in mind end users will need to remember a master password that could still be at risk from password reuse.
  1. Enforce multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide additional verification, such as a fingerprint scan or a one-time password, in addition to their password. By implementing MFA, organizations can reduce the impact of compromised passwords, as attackers would need more than just the password to gain unauthorized access. However, MFA is not infallible and password security is still vital.

Reinforce training with powerful password security

Specops Password Policy with Breached Password Protection blocks weak passwords from being created and continuously scans your Active Directory passwords against a database of over four billion known compromised passwords. This offers a valuable safety net for mitigating risky password behavior and your end-user’s Active Directory passwords being breached.

Your end-users’ experience is also considered through customizable notifications and dynamic feedback during the password change process that guides them towards creating strong, memorable passwords.

By improving the user experience, organizations reinforce their security awareness efforts and encourage users to adopt better password practices, reducing the likelihood of password reuse.

Find out how Specops Password Policy could fit in with your organization.

Sponsored and written by Specops Software.

Related Articles:

Passwords are Costing Your Organization Money - How to Minimize Those Costs

How to Apply Zero Trust to your Active Directory

How SMBs can lower their risk of cyberattacks and data breaches

How to secure AD passwords without sacrificing end-user experience

Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets