New Data Shows Traditional Approaches to Credential Security Fail the Modern Workforce

Traditional security strategies, built around protecting a well-defined network perimeter and utilizing security training as a core means of defense, are failing in the modern workplace.

To understand firsthand why this is happening, we surveyed 1,000 U.S.-based employed adults and 500 U.S.-based IT leaders. Let’s dive into some of the insights about traditional approaches to credential security.

Remote and hybrid work continue to reshape the cybersecurity landscape, introducing new risks as employees blur the lines between personal and work devices. The expanded attack surface—driven by weak password practices and unsecured home networks—has created a perfect storm for cybercriminals. 

Employees often connect to enterprise systems from unsecured Wi-Fi networks. Many of these networks lack proper security measures like updated routers, VPNs, or strong passwords. With no clear perimeter to defend, organizations now face a significantly more complex challenge in protecting themselves.

The added security that some organizations have implemented is also getting in the way of productivity.

Security awareness and training programs are common tools for mitigating human risk, including phishing, and enterprise companies invest a lot of time and money into them—but employees do not see the same value in these training sessions.  

A company with 1,000 employees could spend $12,000 to $24,000 annually for basic online training. Larger enterprises (10,000+ employees) could see costs in the hundreds of thousands or even millions annually, especially if using in-depth training, phishing simulations, and compliance-focused education. 

But our survey found that many employees would take extreme measures to avoid mandatory security training:

IT leaders agree: 51% think employees at their organization see security training as a burden. This alignment is a clear sign that security training is not achieving the desired outcomes in protecting organizations from human vulnerabilities. 

Employees’ poor password hygiene amplifies the risks. Nearly all IT leaders (96%) report having to deal with credential-related issues. The three most common issues are:

These poor habits lead to tangible losses. IT leaders say their organizations suffered intellectual property theft due to weak or compromised passwords (37%), while compromised accounts have resulted in stolen money (19%).

Password-related issues not only expose organizations to security breaches but also lead to significant operational costs. Forrester Research estimates that each password reset costs around $70, factoring in IT staff time and productivity losses.

Additionally, up to 40% of help desk calls are related to password issues, which creates a substantial support burden. Employees also spend an average of 11 hours annually on password resets, further impacting their productivity.

As a result, organizations spend an estimated average of $5.2 million annually on password-related support and infrastructure.

Clearly, traditional strategies for business security, including those specific to credentials, just aren’t working.

Coming soon in the next installment in this blog series, learn about the impact of shadow IT and credential security challenges on already overwhelmed IT teams.