In today’s digital-first world, the risk of data breaches is continuing to rise. In 2021 there were 5258 reported breaches of which 61% were password and credentials related and the average cost of a data breach was US$ 4.2 million.
Companies have implemented SSO to help protect their organizations from breaches, but what about all of the other passwords that are not connected to SSO – for legacy applications, unauthorized applications, network systems and encrypted documents?
Systems admins are trying to address the security of these passwords by putting strong password policies in place requiring employees to ensure every password is strong and distinct and to change their passwords every couple of weeks. However, these policies are practically impossible to enforce and police without the tools to help. Employees are responding by creating weak, memorable passwords that are easy to remember (and subsequently easy to crack), or writing more complex passwords on sticky notes and in plain text files. Many are also using the same password across multiple accounts and don’t have a secure way of sharing passwords with other team members. All these actions are compromising data and putting businesses at huge risk.
NIST (the National Institute of Standards and Technology) recommends the use of encrypted storage by employees to secure their passwords and other sensitive information. Although some businesses are considering implementing password management solutions, many businesses just don’t want to use a password manager.
So, despite their ability to generate strong and unique passwords, autofill passwords and credentials, store passwords and files, and audit password security, why is it that only 30% of businesses are using a password manager?
One of the main reasons relates to data security and compliance; businesses just don’t want their passwords and other sensitive data to be stored outside their organization, on the solution provider’s cloud which is the approach taken by many of the password managers on the market. This raises security issues and concerns about ongoing compliance with data protection laws such as GDPR and CCPA. Managing and maintaining data compliance is a huge burden on businesses so it’s no wonder they want to avoid the additional complexity of storing data outside of the boundaries of their IT infrastructure.
However, not all password managers require data to be stored on the service provider’s cloud. There are a number of feature-rich products available on the market including online, self-hosted and offline solutions. One of the key differences between the three categories of password managers, is their approach to data storage, which address the different needs of businesses when it comes to where their data is stored.
- Online password managers: The majority of password managers on the market today sit in this category. Sometimes referred to as vendor-hosted solutions, online password managers store all of the company’s passwords and other sensitive data in the service provider’s cloud.
- Self-hosted password managers: As the name suggests this approach addresses compliance concerns by enabling businesses to keep their data within the trusted boundaries of their IT infrastructure. However, some businesses don’t want a self-hosted solution, or the ongoing burden and overheads associated with maintenance and patching.
- Offline password managers: This approach empowers businesses to keep their passwords and other sensitive data and files within their IT infrastructure, with no need for self-hosting of additional servers. Sometimes referred to as local password managers, they give businesses the freedom to choose where they store their data – on employee devices, or in their existing business cloud which means it stays compliant with existing data policies.
The need for businesses to deploy a password management solution is clear and should be an integral component of every business’ security stack. Some businesses may not be quick to adopt a password management solution and the reasons are practical – it boils down to where their data is stored and data compliance concerns.
For highly regulated businesses that are concerned about security and compliance including service providers managing passwords and other sensitive client data, government agencies and companies in finance, pharmaceuticals and telecom, an offline password manager may be the way forward.
If you want the peace of mind of ensuring all your data stays within your organization, check out Enpass Business, the offline password manager designed specifically for businesses that want to keep control of their sensitive information and where it is stored.