"There's an app for that" has become reality rather than just a catchy marketing phrase. According to a compilation of mobile app statistics, the average person now has more than 80 apps installed on their phone. That same person interacts with an average of nine of those apps every day, and thirty over the course of a month.
Thanks to an insatiable appetite for data and visibility into consumer habits, most of those apps probably require an account. Whether it's tied to a social media account or stand-alone, most apps encourage registration in order to access the most useful or interesting capabilities - like sharing what level of Candy Crush you're stuck on today.
Those apps no doubt include social media. According to even more data (probably mined from the apps themselves), we had an average of 8.5 social media accounts in 2018. That's nearly double the 4.8 average seen in 2014.
Now here's where it gets interesting. The average number of email accounts per internet user was either 1.8 or 2.5 in 2018, depending on whether you cite data from Radicati or DMA, respectively. In either case, the number of email addresses per user is significantly lower than the number of social media accounts and apps used on a daily/monthly basis.
Which makes sense. Typically, we don't maintain a one to one relationship between social media accounts and email addresses. We have grown as attached to our email addresses as we have our phones: the DMA research found that 51% of people have held the same email address for more than 10 years. Color me unsurprised. I've held the same personal email address for more than 20 years, and my corporate address for almost 13 now.
You can imagine that those two email addresses are associated with way more than the average number of apps and social media accounts.
Also unsurprising is the number of times my personal email address has turned up on a list of addresses compromised by some information breach. It's a lot. I suspect given the statistics that most people can say the same thing. And if we project out the nearly linear growth of social media accounts for four more years, it's likely that number will grow along with the number of available targets.
Now, think about that and then consider these findings from password management vendor, LastPass:
- 43% of the top 30 domains employees use are also popular consumer apps (think Dropbox, for example)
- 50% of people do not create different passwords for personal and work accounts
If that's troubling, wait - there's more. The same research found that 6 passwords were shared by the average employee. That's six passwords shared with coworkers.
Take a deep breath, security pro.
Despite education and a constant litany of reminders that security is everyone's responsibility, not only is the corporate-consumer barrier being breached on a regular basis but the most basic of security practices is being completely ignored when it comes to apps and passwords. The Verizon Data Breach Investigations Report found that over 70% of employees reuse passwords at work.
This why it's important for organizations to recognize and institute better protection of its own corporate assets. Corporate assets that are usually accessed by one of 2.5 email addresses. The use of multi-factor authentication (MFA) and instituting password complexity requirements are amongst the best defenses against attackers easily brute forcing their way into lucrative sources of data. It's also one of the best defenses against the sharing of passwords because MFA goes one step further and requires an additional step - one that most coworkers can't complete.
With every account that's exposed, with every app that joins the corporate ranks, risk is increased. Risk from employees sharing passwords, risk from static email addresses with multiple passwords, and risk from attackers who know all these statistics and the best ways to exploit them.
MFA is not a panacea, but it is a good start on the road to addressing a risk that's only going to continue to grow along with the number of apps on our phones and in use across personal and corporate domains.
| If you're already using BIG-IP APM, check out these options for adding MFA to your authentication process: |
About the Author
Related Blog Posts
SaaS-first strategies reshape cloud-native application delivery
F5 NGINXaaS empowers cloud and platform architects to unify operations, reduce complexity, and deliver exceptional digital experiences at scale.
F5 ADSP Partner Program streamlines adoption of F5 platform
The new F5 ADSP Partner Program creates a dynamic ecosystem that drives growth and success for our partners and customers.
Accelerate Kubernetes and AI workloads with F5 BIG-IP and AWS EKS
The F5 BIG-IP Next for Kubernetes software will soon be available in AWS Marketplace to accelerate managed Kubernetes performance on AWS EKS.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.