As digital innovation accelerates, many organizations are adopting new technologies simultaneously. As a result, each new application or tool becomes a new identity silo with unique password management requirements, such as complexity and frequency of rotation.
Requiring to repeatedly authenticate to these new systems and maintain (not to mention remember!) numerous complex passwords creates many frustrations for help desk professionals.
They are in charge of user provisioning and manage hundreds (if not thousands) of corporate accounts and the resulting and ongoing requests for password reset and account lockouts. Let’s use some industry estimates and simple calculations to quantify the massive password problem:
- The all-in cost of a help desk call to reset a password is between $40 and $50 – we’ll use the $45 average.
- It is estimated that every user contacted the help desk to report six to ten password problems a year before the pandemic transformed remote working. So, eight issues in a year, usually 261 eight-hour working days, or 2,088 hours. In other words, a password problem is reported to the help desk every 261 working hours.
- Consider now that the traditional workday for many has lengthened from eight to even eleven hours since the spread of remote working. This means 261 11-hour working days, for a total of 2,871 hours, which is 783 hours more than the “usual”. This also results in more per-person password-related help desk issues.
Based on this data, CyberArk estimates that for a company with 1,000 employees, $495,000 is spent each year fixing password issues. (11 helpdesk password requests per user, x $45 per request x 1,000 users). It is well known that defining strong passwords is complex for users, and those chosen often need to be more involved, common, reused or shared. Employees reuse passwords on an average of 16 corporate accounts. While relying on password managers to solve this challenge is tempting, it still needs to be a risk-free approach. Furthermore, password managers cannot manage who accesses which sensitive resources and for how long.
Attackers know that many organizations still rely on a single verification method, such as a single set of credentials, to secure access to various systems and tools, especially dangerous behaviour when used with single sign-on, which allows broad access to many systems and applications. Cybercriminals know that stealing or compromising a corporate identity’s credentials is enough to gain a foothold and escalate privileges to high-value assets. Today, 67% of all breaches are caused by credential theft (using stolen or weak passwords) and social attacks.
However, when IT teams implement stronger authentication methods in the name of security, workers often develop clever ways to circumvent them or avoid using company-approved systems and applications to stay productive. According to SysAid research, 84% of IT service management professionals believe that IT service management will continue to get more difficult over the next three years, and the reason is clear given their anvil position (maintaining all systems and data as secure as possible) and hammer (keep teams productive). A more robust approach is needed as identity-based threats continue to grow and passwords fail to serve their purpose adequately.
It’s no longer about blocking access to attackers but about making it difficult for them to move around the network without setting off alarms to make them easier to spot and stop. Behind the scenes, controls such as session isolation and tracking, elevation and delegation are built into identity and access management capabilities to increase accountability and compliance. This way, access can be monitored on an ongoing basis in a data center, hybrid, multi-cloud and SaaS environments, and risk-based controls can be applied to each identity to streamline user activities.