False sense of cybersecurity: Latest research reveals it’s rife in Australia

How would you rate your level of online security and password protection? Research has found you’ll most likely give yourself a good rating. You’ll say it’s relatively secure but then you’ll also admit it could be stronger claiming you’ve been meaning to do so; you just haven’t done it yet. And then you leave it, again. Is it apathy? Indifference? Overconfidence? Laziness? Mistaken belief? Or maybe self-deception? Either way, it’s clearly not a priority.

This is what the LastPass Psychology of Passwords Report has uncovered – an alarming disparity between peoples’ perceived sense of online cybersecurity and their actual behaviours, despite ongoing cybersecurity education and cyber awareness all over the news and on social media. And the problem is, with more people doing more online, cybercrime is becoming more attractive for an increasing number of malicious networks.

What is the cybersecurity landscape in Australia?

Passwords remain one of the weakest links in the cybersecurity chain, because we typically rely on faulty human logic to create and remember passwords. Those passwords are overwhelmingly weak, easily guessed, quickly cracked, and readily stolen.

A cyber-attack happens every 36 seconds. Some receive more exposure and scrutiny than others, depending on the severity of the attack, the impact on the public and the significance of the brand. Yet, what is most alarming, is not necessarily the cyber-attack itself, it’s the indifference, the apathy, and the unresponsiveness of individuals, to being more cyber secure.

Why do most of us continue to overuse similar passwords across multiple apps, platforms, and systems when there are simple, cost-effective, and secure solutions? The Federal Government, in an effort to educate the industry on cybersecurity, has funded over one billion dollars into cybersecurity through the Australian Cyber Security Centre, cybersecurity education and awareness programs, and Australia’s Cyber Security Strategy (2020).

Over $1.67 billion has been invested over 10 years to achieve a more secure online world for Australians. This will be delivered through actions by govts to strengthen the protection of Australians and critical infrastructure from the most threats; actions by businesses to secure their products and protect their customers from known cyber vulnerabilities; and actions by the community to practice secure online behaviours and make informed purchasing decisions.

Equally important, the government is driving efforts to educate the public on password behaviour and how individuals can improve security measures and mitigate risks through published advice. While this Strategy is an Australian Government initiative, state, territory, and local governments, as well as businesses, academia, international partners, and the broader community all play an essential role in strengthening Australia’s cyber security.

Schools dedicate time and resources to cybersecurity education and corporations Australia-wide invest in extensive and regular training to support their staff and protect their firm from being cyber attacked. Yet, every day we continue to hear of individuals and firms being hacked, threatened, scammed, and breached. And these cyber-attacks are accelerating, growing in volume, sophistication and costs, with devastating, long-term consequences.

According to IBM’s Cost of a Data Breach Report, the cost of data breaches reached an all-time high as of 2022, with a company spending an average $4.35 million in the aftermath. Of course, many factors can contribute to the cost of a data breach, such as legal fees, cyber forensics consultations, ransom demands, and new technology purchases.

But there are many intangible costs, too, like lost sales, customer churn, disruption to employee productivity, and loss of third-party partnerships. According to one study, companies that experienced a breach underperformed the market by 15% three years later. Unfortunately, data breaches are costly both in the short- and long-term.

The potential damage to reputation and operations on top of the monetary loss of data breach remediation can be crippling. Depending on the industry, customers may not be willing to give a company a second chance after a data breach, especially if the company tries to pass off the financial impact to customers through higher service fees or product prices.

After all, if cybercriminals hacked the company once, how can customers trust that hackers won’t succeed again? And for a good reason; according to one study, two-thirds of companies that experience a breach are hacked again. Data breaches erode trust and credibility, which can exacerbate the impact of an economic downturn.

The Power of Password Management

The LastPass Psychology of Passwords Report 2022 found that even with an increase in time spent online and ongoing education, there is continued poor password behaviour and cognitive dissonance. Sixty-five percent of all survey respondents were found to have some form of cybersecurity education – through school, work, social media, books, or courses – yet the reality is that 62% almost always or mostly use the same or variation of a password.

The majority (79%) found their cyber security education to be effective, whether formal or informal. But of those who received education, only 31% stopped reusing passwords. And only 25% started using a password manager. There is a clear disconnect between high confidence when it comes to password management and user’s unsafe actions.

While most professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety. And age seems to make no difference to these findings.

Not surprisingly, Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene. As the generation who has lived most of their lives online, Gen Z (1997 – 2012) believes their password methods are “very safe.”

And while they are the most likely to create stronger passwords for social media and entertainment accounts, compared to other generations, Gen Z is also more likely to recognise that using similar password for multiple logins is a risk, but they still use a variation of a single password 69% of the time. Millennials (1981 –1996) do this 66% of the time.

On the other hand, Gen Z is the generation most likely (51%) to use memorisation to keep track of their passwords, with Boomers (1946 – 1964) the least likely to memorise their passwords at 38%. Regardless of password recollection methods, everyone despite age and job function can become a victim of cybersecurity attacks. This susceptibility increases with age, as hackers target those above 65 who fall for phishing and money scams easily.

While 89% of respondents acknowledged that using the same password or variation is a risk, only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation. To add to that, compared to last year, people are now increasingly using variations of the same password, with 41% in 2022 vs. 36% in 2021.

The question asked by most people is, how are you supposed to remember strong, unique passwords for every account? The answer is you can’t, but a password manager can.

It does all the heavy lifting (and remembering for you). It’s a tool that creates, remembers, and fills in your passwords for you, securely. A password manager is critical to protecting yourself from attempted compromised credential phishing attacks by helping users create and maintain long and complex passwords. Most password managers can also auto-fill in your credentials related to a specific URL, so they don’t submit information on a phishing URL.

A password manager application can also help you identify websites with malicious intent by displaying an icon in the browser bar to indicate that it’s a known site. The app will not display the icon if an entry was misspelled via a phishing attack. It’s vital to remember that cybercriminals exploit any weaknesses in a firm’s digital armour to get valuable information and one of the most common ways they gain access is poor password management.

According to Verizon’s 2022 Data Breaches Investigations Report, the majority of data breaches (82%) involve a human element, such as phishing, stolen credentials, or human error. So, for businesses, password managers are essential to an effective cybersecurity program and should form the backbone of your IT strategy for preventing data breaches.

What can you do to combat this?

Businesses need to implement a layered cybersecurity strategy to reduce the risk. That means doing the basics well, cultivating a culture of cyber resilience at all levels of the organisation, and removing human error from the cybersecurity equation wherever possible.

Given the high incidence of password misuse in causing data breaches, companies need to invest in smart password solutions that automate tasks and provide control at the organisational level. Building a strong cybersecurity foundation with a password manager becomes even more critical in tough economic times when the stakes are higher.

A business password manager removes the pain of passwords and gives employees convenient access to their digital tools. As a result, they save employees time by eliminating forgotten passwords and account lockouts, generating, and capturing hacker-proof passwords, and building strong password security into everyday workflows.

Password managers lower IT costs by standardising security policies across the firm and reducing password-related help desk tickets. Lastly, they streamline organisational processes by automating onboarding and offboarding tasks and facilitating shared access to team resources without putting the firm at risk. As an individual, here are some things to consider:

  • Be suspicious of spontaneous and unexpected messages. If you receive a message that you were not expecting, even if the message looks legitimate at first glance, be wary that any user or message you are not familiar with could be an intended scammer.
  • Don’t assume your most commonly used apps are safe. Hackers know you’re more likely to be vigilant about phishing emails, which is why they’re increasingly trying to reach you via other apps and sites that you know and trust.
  • Never assume your business communications are safe. If you received an email from a co-worker that doesn’t seem right, listen to instincts. Reach out to that co-worker using another method of communication to confirm whether they sent you that message.
  • Be secretive and restrictive about what personal information you choose to share online. Not only will scammers exploit comments you have made on memes and social media to use your personal information to steal your identity or break into one of your accounts later on, but they will also scrape your public social media posts for morsels of information that they can use to gain your trust in a future phishing, smishing or vishing attack.
  • Using multi-factor authentication (MFA) can also give you an added layer of protection that comes in especially handy if you’ve experienced a social engineering attack. Even if a hacker already has your password, they won’t be able to get into your account unless they are also able to provide another form of authentication that you’ve already picked out in advance, like a passcode from an authenticator app.

Economic downturns can be scary, but so are data breaches. For businesses to survive bad economic times, leaders must focus on essentials and ruthlessly prioritise. When it comes to cybersecurity, prioritising solutions for the most likely avenue of attack – via password mistakes – will help strengthen your security protocols and reduce overall risk.

With a password manager, you can ensure that every employee follows password security best practices and that every access point to is protected. As a result, employees can stay focused on value-add tasks as the company navigates these challenging times.

Matthew McWhirter is the Senior Director for Asia Pacific and Japan at LastPass.