When you think about the cyber threats facing your organization, it's likely ransomware, a DDoS attack or some other attack orchestrated by a malicious third party. But bad actors aren't the only security adversary modern enterprises must grapple with; increasingly, companies are also struggling with vulnerabilities unintentionally introduced by their employees.

For example, 56% of insider threat security incidents over the past 12 months were caused by negligent employees. There are numerous ways in which staff can unintentionally contribute to security woes, with a prime example being poor password practices. Because compromised credentials are one of the most common ways in which bad actors infiltrate corporate networks, employees' password mistakes can easily cause significant security incidents.

Drilling into the password problem

There are numerous facets to the password problem, but the following are a few common issues:

• Password reuse: Most employees know better than to reuse the same password across work and personal sites in principle, but generally fail to adhere to this guidance in practice.
• Credential sharing: Password sharing is another prevalent issue, particularly in high-stakes industries. For example, 74% of healthcare respondents admitted to obtaining a colleague's credentials to login into a work system. When coupled with password reuse the threat of shared credentials is substantial. Seventy-nine percent of consumers share passwords with someone outside of their home—if just one site associated with the credentials was breached it's easy to picture how security lapses or vulnerabilities could snowball.
• Security vs. user friction: Historically companies' approach to password security often pitted them against employees, as measures were perceived as overly burdensome and significant productivity inhibitors. Think about things like mandatory password resets or provisions governing the inclusion of numbers or special characters. This approach resulted in weaker passwords, which is one of the reasons why the National Institute of Standards and Technology, or NIST, no longer recommends them or similar legacy requirements.

Mitigating the insider threat with modern technology

As long as passwords remain an authentication mechanism, employees will likely continue reusing them across various sites and accounts. We can also expect that credential sharing will remain a common practice, whether born out of employees' need for efficiency or simply a burning desire to stream their favorite Netflix episode.

Rather than wasting time and resources trying to prevent this behavior, companies should follow the updated NIST guidance and focus instead on whether passwords have been exposed in a prior breach. With new data continuously becoming available on the Dark Web, relying on static blacklists is simply not enough.

A premier approach to credential screening

Organizations need a dynamic process for continuously screening passwords and usernames against the latest threat intelligence. Enzoic's propriety credential screening solution provides this assurance, screening passwords both at their creation and on an ongoing basis against our database containing multiple billions of exposed credentials from breaches and found in cracking dictionaries. In addition, the solution enables companies to automate the response if a compromise is detected. This decreases help desk costs and increases both IT and employee productivity, all while ensuring unparalleled authentication security.

Closing the divide between security and user friction

With a modern credential screening solution, the perennial gap between employees and IT is finally bridged. Because friction is introduced into the log-in experience only if a password is determined to be unsafe, employees are generally unaware that the credential check is even happening.

The old saying, "You can't teach an old dog new tricks" is certainly relevant when it comes to employee password behavior. Rather than allocating time and resources to the dubious task of trying to instill better password practices in their user base companies should instead invest in credential screening. This approach removes compromised credentials from the list of potential insider threats, while also driving productivity gains for IT and the business alike.