Highest-Ranking Executives’ Passwords Increase Chances of Large-Scale Data Breach

Reading time: 1 minute 30 seconds

In a recent study, NordPass (one of the largest VPN providers) listed the 50 most common passwords used by C-level executives. “123456” and “password” were numbers 1 and 2, respectively.  While on the surface, this is amusing and garners a chuckle, in reality, it highlights two concerns that IT and, in particular, cybersecurity professionals wrestle with daily. First, C-level officers are often treated differently, especially when it comes to security. They are perceived as being above the rule (and, more often than not, get away with it). Second, it reveals there is still a gap between “mandatory” cybersecurity training and actual practice. What, then, are ways an organization’s security team can address the overarching “simple password” problem, and equally important, how does an organization close the gap between training and practice? 

Most corporate networks now enforce strict password policies, i.e., password length and complexity enforcement, and require multifactor authentication. To this end, the so-called “above the law” perception is not a direct issue because the policy is enforced at the system-level and uniformly enforced. Nonetheless, it remains an issue because the majority of attacks are indirect or pivot of the weakest link. For example, employees (regardless of corporate status) access personal websites or services where strong credentials may not be strictly enforced. Cybercriminals can exploit and pivot off these external services and gain access to the internal network. Cybersecurity practitioners should not be complacent with the “we’ve got a strong password policy” and should constantly remind their people to use strong passwords through an effective cybersecurity training program. 

The 2022 NordPass password study also points to a gap between security training and security practice. In fact, according to HornetSecurity, one-third of organizations do not have a security training program for remote workers. Even if training is available, the data suggests that security awareness training is not enough, according to a 2022 TechTarget article. To bridge the gap between cybersecurity awareness and cybersecurity practice, organizations must implement an active training program, including tools such as intentional and frequent phishing campaigns, regular password auditing, and enforcing password expiration policies. Together, these small and simple processes can help strengthen cyber muscle and bring awareness to everyone in the organization. Finally, while it might be amusing that the NordPass password study highlights C-level officers’ selection of passwords, we must remember that everyone is susceptible to poor password choices. No exceptions!

We’re here to help

If you have any questions or concerns about implementing stronger password training and policy at your company or for additional help with your cybersecurity needs, call 818-334-8626 or click here to contact us. We look forward to speaking with you soon.