Accounts often use reused or weak passwords.
Analysis of a sample dataset of 300,000 accounts and the associated login methods by Push Security determined that the average employee has 15 identities.
The research found that 37 percent were not using any form of multi-factor authentication, and nine percent were using a reused, or breached password.
“This might not seem that high at face value – but it’s enough that attackers can feasibly take over accounts linked to every business app used in the organization just by abusing password vulnerabilities through attacks like credential stuffing,” said Dan Green, researcher at Push Security.
He pointed out that for a 1,000 user organization, this leaves them with 1,367 user accounts that are highly vulnerable to account takeover.
Green said that attackers are increasingly using to identity attacks - such as credential stuffing, password spraying, phishing and social engineering - the sheer volume of identity vulnerabilities (and the rate that they are introduced) means organizations need to ensure they can detect and respond to indicators of identity attacks to be able to manage the risk effectively.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.