Government Advisory Driving Trends Toward Password Management

Passwords have been around for a long time, but the recent acceleration of digital transformation has caused an explosion of new identities.  Every new digital initiative that is rolled out leads to more complexity for cyber security professionals -- and makes it all the more difficult to keep attackers out.   The increase in remote work due to the pandemic has also blurred the perimeter of the corporate network. More connections are being made with corporate networks from untrusted networks, which opens doors for potential attackers to infiltrate an organisation’s infrastructure. The human element of password management has always been a weak point and is becoming even more important as the number of systems and applications to access increases. And there are more passwords than ever before.  With more potential attack points, it becomes critical for organisations to mitigate the risk of being breached due to weak password management. As cyber breaches continue to escalate across Asia Pacific, we’re now seeing a welcome shift in Government advice on password management to help organisations better manage their cyber defences to counter this upsurge in opportunities for hackers.  Over the past three years, this advice has evolved from recommending the use of two-factor authentication (2FA) and multi-factor authentication (MFA) with strong, complex and unique passwords for every application to now recommending the use of a password manager to automatically generate passwords. The Australian Cyber Security Centre (ACSC) has this year published advice around using Password Managers as they can improve security and effectively help mitigate the human element of having to manage multiple complex passwords across different accounts.  Similar advice has also been published by SingCERT, CertIndia and CERT NZ. The vast majority of cyber breaches still occur due to weak, reused or stolen credentials.  According to Verizon DBIR, “82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.”  This fact, along with the following four key trends are driving the shift in government advice to recommend using password managers:

Data Privacy and Data Protection Legislation

GDPR, coupled with increasing globalisation and the impact of the COVID-19 pandemic, has spurred the Asia Pacific region into action with strengthening data privacy laws.  As large monetary penalties can be incurred for breaching these laws, this is driving the need for organisations to do more to stop hackers from stealing a user’s credentials.  

Mandatory Data Breach Notification Legislation

The requirement to notify authorities of breaches has been introduced in many Asia Pacific countries in recent years.  These laws empower individuals whose personal information has been compromised in a data breach to take appropriate action to protect themselves from identity theft and fraud.   These laws also serve to enhance the accountability of organisations for keeping personal data safe and help to build trust in the handling of personal information.  

Consumer & Organisational Awareness

With every data breach that’s made public, this drives an increasing awareness for consumers of the impact of personal data loss.  Similarly, organisations see the impact when they are affected by a loss of their customers’ personal data.  This is driving organisations to elevate their cyber defences as these losses can be incredibly damaging to their credibility and reputation.

Firming Government Advice on Cyber Fundamentals

Governments are increasingly implementing data privacy and mandatory breach legislation to ensure that organisations are accountable for loss of personal data.  Many breaches that are occurring are unsophisticated, which is driving a renewed focus on cyber security fundamentals to reduce the number of these avoidable breaches.   It is well known that the requirement for complex passwords leads to password reuse and using common terms that are easily guessed.  According to the LastPass 2022 Psychology of Passwords findings, an alarming 62% of people surveyed always, or mostly, still use the same password or variation across multiple accounts, even though 89% know that doing this is risky.  With the number of passwords increasing, this is unlikely to change significantly in the future.   An increasing focus on data privacy and protection legislation will also continue to compel organisations to look at ways of reducing the risk of breaches.  The best way to reduce the risk of credential theft is to make sure criminals don’t get your password in the first place.  Implementing a password manager solution that can safeguard passwords and minimise risky human behaviour goes a long way to protecting yourself and your organisation from cyber-attacks.