Only 48 percent of organizations paying any attention at all

In a related note, this story about a Quest sponsored Aberdeen study indicates that 52 percent of organizations do not require strong authentication to access sensitive data:

Quest Software, Inc. underwrote an Aberdeen Group benchmark study, “Strong User Authentication,” which shows that 52 percent of organizations require only passwords for employees to access critical data, rather than augmenting passwords with stronger forms of authentication such as hardware tokens, digital certificates or risk-based scoring. Nearly 150 organizations from a diverse set of global industries were polled for the study.

Other key findings of the Aberdeen benchmark study include:

  • 88 percent of enterprise users have multiple work-related passwords, averaging between five and six
  • 64 percent of organizations do not even require users to change their passwords
  • 45 percent of organizations allow standard dictionary terms (like “password”)
  • 29 percent of organizations have no requirements for password length

None of these stats surprise me.

Jackson Shaw of Quest is quoted in the article as well:

“With the recent, well-publicized incidents of network and identity theft, companies need to put security first and require more than just passwords for user authentication,” said Jackson Shaw, senior director, product management, Quest Software. “Helping our customers increase security and mitigate the risk associated with compromised confidential information has become a top priority at Quest. As a result, Quest offers solutions for two-factor authentication as well as single sign-on, provisioning, password management, role management, auditing and compliance reporting.”

I’m not sure what Quest product Jackson is referring to as far as provisioning. Perhaps he is referring strong authentication credential provisioning.  Aside from that, it’s a very interesting article.


6 responses to “Only 48 percent of organizations paying any attention at all

  1. So?

    Perhaps a good conclusion is that about 52% have done a risk assessment and found that what they have at risk doesn’t warrant “strong authentication” (whatever that means). You don’t do “strong authentication” just because you found some (probably false) gospel says you should.

  2. The high-description is about access to “critical data”. I don’t know the survey methodology, so it’s hard to know how “critical” was defined to the correspondents.

    That said it is possible that some percentage of the 52 percent are following a well thought out security strategy. One could say:

    52 – x = y

    Where x is the percent of organizations that did a well thought out analysis and determined that access to thier “critcal” data did not warrant strong authentication. Thus y is the percent of organizations pursuing a very risky security strategy.

    So is x closer to 52 or 0?

    From my experience, x is a lot closer to 0 than 52.

  3. I think that Jackson is referring to Active Roles Server for provisioning.

  4. Correct, ActiveRoles Server!

    I also agree that 52 is a LOT closer to 0. Shame, isn’t it?

  5. Hi Jeff,
    Just wanted to let you know that Quest launched Quest One Identity Solution this morning.

    I work with Jackson at Quest and saw your post last week about the Aberdeen study. Just thought I would pass this along.


  6. Pingback: New identity management offering from Quest « Identity Blogger

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s