Credential security often emphasizes preventing breaches, a logical focus given IBM’s report indicating that the average data breach costs $4.4 million. While avoiding a significant breach is crucial, the persistent issues caused by repeated credential incidents often go unnoticed. These incidents manifest as frequent helpdesk tickets, disrupted workflows, and a diversion of resources from more strategic tasks. Although each incident might seem minor, collectively, they impose a continuous strain on IT departments and the organization as a whole.
Understanding the Costs of Repeated Credential Incidents
When organizations face recurring credential-related issues, tightening password policies appears to be a straightforward solution. However, balancing security with usability often challenges many businesses. As a result, helpdesks receive a high volume of calls. Forrester Research estimates that password resets constitute up to 30% of helpdesk tickets, each costing approximately $70, factoring in staff time and productivity loss. This represents a substantial operational expense for mid-sized organizations, directly linked to credential incidents.
Such disruptions accumulate, leading IT teams to spend a significant portion of their time resolving immediate issues rather than addressing root causes. Consequently, organizations incur costs that are often overlooked but are challenging to eliminate.
Impact of Inadequate Password Policies
Users often encounter unclear error messages like “does not meet complexity requirements,” leaving them confused about what changes are needed. This confusion leads users to resort to reusing old passwords with slight modifications or storing them insecurely. While not intentional, these practices increase the likelihood of repeated incidents, from lockouts to account breaches.
Organizations often lack breached password screening, relying instead on time-based resets. However, a password’s risk level is not determined by its age but by its exposure. Even with frequent resets, users can continue using compromised credentials, leaving vulnerabilities unaddressed. Without visibility into exposed credentials, organizations manage symptoms rather than the root causes, perpetuating the cycle of incidents.
Implementing Strong Password Policies
Historically, frequent password resets were seen as a fundamental security measure. However, this practice often creates more problems than it solves. Mandatory changes every 60 or 90 days lead to predictable behaviors, with users making minor adjustments to existing passwords or choosing easily memorable ones under time constraints. The result is weaker, not stronger, credentials.
These fixed expiration schedules introduce regular disruptions, resulting in potential lockouts and additional helpdesk tickets, draining resources without enhancing security. Recent guidelines from bodies like NIST advocate for password changes only when there is evidence of a breach, prompting a reevaluation of arbitrary expiration dates.
Robust password policies are essential for maintaining identity security. While moving towards passwordless authentication is a trend, passwords still form the backbone of identity security. Weak foundations can compromise entire systems. By enforcing stringent, user-friendly requirements and identifying exposed credentials early, organizations can reduce weak entry points, crucial as they evolve their authentication strategies.
Tools like Specops Password Policy offer solutions by continuously scanning user accounts against databases of over 5.8 billion compromised passwords. Alerts prompt users to reset exposed credentials, reducing opportunities for attackers.
Reducing the Cost of Credential Incidents
Effective password controls can mitigate risks, but the real operational benefit lies in reducing the time and resources spent on resolving frequent incidents. By minimizing lockouts, reset requests, and dealing with compromised credentials, organizations can lessen daily disruptions for IT teams and end users.
If your organization faces frequent credential incidents, it might be time to reassess your current strategies. Specops offers solutions to enhance identity security, and you can book a demo to see these tools in action.
