Network Users Don’t Change Passwords After Breach, Study Shows

A troubling lack of change even after data-breaches

Closeup Photo of Black Computer Keyboard's Left Side Keys

After data-breaches, companies typically make changes to their security infrastructure. Calls for increased cybersecurity, expanding budget into defense strategies, and raising awareness are part of that. But, here’s a scary something: even after data-breaches, many still don’t change their logins or adjust their strategies for dealing with future cybersecurity attacks.

It seems unlikely, but it can happen. Researchers published a study by the Carnegie Mellon University’s Security and Privacy Institute, finding that after a data breach, only 1/3rd of staff changed their logins. This, they said, was based on browser traffic, and not survey data.

The information was gathered by examining world traffic behavior provided by the Security Behavior Observatory. According to them, information was gathered by examining traffic from over 200 sources starting in 2017 and ending in December 2018. From the report, both web traffic and logins used were recorded.

Breaking down the statistic further, of the 249 studied systems, 63 announced with breached domains there had been a security intrusion. As far as modifying passwords post-breach, the numbers don’t look good.

21 of the 64 domains (or 33 percent, as the study reports) planned to change passwords after the breach. But only 15 of them changed logins three months after the fact. Yahoo was one of the most affected domains.

Lethargic changes

Of course, changing the login was only half the battle. The SBO also examined password complexity for those that changed. Of the 21 that did indeed change their login, only 9 adjusted it to something different or more complex. 

The remainders used passcodes similar to their previous ones, or by alternating only some parts of their old logins. It’s easy to understand why this is a long term problem.

Malicious third parties sniff out similar passwords, especially those that only have a few changes. However, regarding passwords, few changes occurred. The glaring problem here is, overall, a lethargic approach to cybersecurity at its most basic junction.

Why is it happening

It’s harrowing to deal with a cybersecurity breach. Stolen info leads to brand damage and thousands in costs. Naturally, doing everything you can to prevent another catastrophe like a breach from happening is the next step, right? Though, based on the above studies, we can see how little change occurs on some of the core points of security.

So, why is it happening? Why are businesses and workforces taking this lethargic approach to cybersecurity?

It is, ultimately, down to education and understanding (or lack of). Keeping staff informed of cybersecurity threats and how they work are key foundations for rebuilding weak cybersecurity philosophies. For instance, logins are often the first point of defense between attackers and a network, and should, therefore, be taken very seriously.

Likely, it’s because companies are not emphasizing the dangers of weak passwords and their need to be changed as soon as possible in the face of data-attacks or post-breaches.

What can be done

Building a secure, diverse network with numerous layers takes time, but educating everyone is one of the best things to do. Even if a company spends thousands on cybersecurity, it can’t help if human error creates the problem.

Educate yourself and keep staff informed on cybersecurity strategies and login policies, such as:

  • Setting up two-factor authentication on all related business devices
  • Educating on adjusting risk-behaviors such as using unsafe password patterns
  • Keeping aware of modern phishing emails and scams along with the latest ransomware threats
  • Teaching staff how to identify and be aware of malicious threats and messages

Still having trouble? Need assistance with cybersecurity training and education? You can contact Bytagig today for potential solutions.

Share this post: