Cost of Passwords: Resets, Breaches, and More
Organizations are spending more than ever to protect themselves from cybercriminals. A recent Deloitte study found that companies spend roughly $2,700 on each full-time employee for security each year. For companies with large workforces, that can add up to millions. But all the spending in the world won’t matter if you’re using passwords and the weak security they provide in your authentication processes.
Passwords are a massive security issue for organizations. Verizon’s 2021 DBIR found that hacked and stolen passwords cause 89% of web application breaches, and these attacks can take months and millions of dollars to recover from.
To illustrate the costs of continuing to rely on the password, we’ve picked out a few statistics that show that passwords aren’t only insecure but costing your organization a lot of money.
The monetary cost of a breach
IBM’s Cost of a Data Breach 2021 report found that the average cost of a data breach for an organization was $4.24 million. Here’s the breakdown of the average cost for different types of attacks:
- Phishing: $4.65 million
- Malicious insiders: $4.61 million
- Social engineering: $4.47 million
- Compromised credentials: $4.37 million
It’s important to note that passwords play a critical role in all of these attacks. Phishing attacks are usually targeted at getting users to unwittingly give away passwords, social engineering uses fake authority figures to trick people into giving away passwords to “verify” accounts, and insider attacks often rely on passwords not being updated and changed after employee turnover. The password remains the target for all of these attacks.
Remote work has made data breaches more costly. For organizations that have 81-100% of their workforce remote, the average cost of a breach was $5.54 million. Companies with less than 10% of employees working from home had data breaches that cost an average of $3.56 million, which is still a significant amount of money but a dramatic difference from the costs to more remote work organizations.
The costs are often much higher for companies with remote employees because they are accessing resources on many different devices where the company has no way of assessing the risk or security posture of the device. Users can just enter their username and password and access sensitive data on any malware-infested device and a hacker has their way into the network.
It also often takes longer to discover breaches when the workforce is remote, allowing malicious attackers to wreak havoc and drive up costs for the recovery process. Companies with more than 50% of employees working remotely took 316 days to identify and contain breaches while organizations with more in-office employees only took 258 days.
Breaches caused by compromised credentials took the longest to identify and contain. On average, the password-related attacks IBM studied took 250 days to identify and another 90 days to contain, totalling 341 days. An attack on New Years Day wouldn’t be detected until sometime around Labor Day and likely not resolved until early December. That’s nearly an entire year, and attackers can do a lot of damage in that time.
It only takes one compromised password from a phishing attack or a hacker to employ a successful credential stuffing attack to cause all these financial and productivity losses.
Password resets = lost productivity
While the previous study looked at passwords and the costs associated with password-related attacks, Forrester looked at the cost of passwords from a productivity aspect.
Passwords suck up our time in one of two ways: either through recalling and entering them or spending time resetting them. Forrester’s researchers found that employees spend an average of 11 hours per year performing these two tasks. In a company of 15,000, an organization would pay $5.2 million in wages just for employees to enter or reset their passwords!
Those employees aren’t the only payroll costs associated with lost or forgotten passwords, however. Forrester also estimated that large organizations were spending an average of $1 million a year in help desk costs to assist employees with password-related issues.
Password issues hit eCommerce especially hard
In eCommerce, getting people to add items to their cart and successfully check out is the utmost priority for these websites. If customers encounter friction during shopping or checking out, it can easily lead them to abandon their carts. And often passwords are a big source of friction for customers.
Our research found that a quarter of those surveyed were willing to abandon a high-value cart ($100+) if a password reset was necessary. Password issues during the checkout process are disastrous.
We also found that one out of every eight shoppers will abandon their carts if you ask them to create an account before checking out. This is most likely due to the friction of having to create yet another username and password. In fact, we found that 84% of users are tired of remembering so many passwords.
It’s already difficult enough to make a sale. The friction of passwords is making it even harder – and costing companies potential revenue.
Passwordless authentication pays for itself
Eliminating passwords doesn’t just make good security sense – it makes equally good fiscal sense. Password-based attacks are often only discovered after the attacker has had months to scour your servers for high-value targets. Who knows what they might be able to find with that amount of time?
Secure Customers brings the convenience and security of passwordless authentication to your customers. Beyond Identity’s platform offers an easy way for organizations to ditch passwords for good. Your customers are secured with our product by using immutable credentials backed by private keys that never leave the device.
Every time a customer logs in, you know they are who they say they are, and the device they’re using is a known device to your network. Secure Work does the same thing for your workforce with passwordless multi-factor authentication (MFA) where only secure, phishing-resistant factors are used. Our product integrates with popular single-sign-ons and totally removes passwords from the authentication process and all the costs associated with them.
We’d love to show you how passwordless MFA can secure your network, streamline authentication, and save you money. Ask for a demo today.