New research from SailPoint has revealed that poor staff cybersecurity behaviors within organizations are getting worse, despite a greater focus on security awareness in the workplace.

The firm quizzed 1600 global employees, discovering that 75% of respondents reuse passwords across both personal and professional accounts, a figure up from 56% in 2014. Interestingly, the percentage of 18-25-year-olds who admitted reusing passwords was even higher (87%), suggesting employees’ approaches to security are worsening as more millennials enter the workforce.

What’s more, almost a quarter (23%) of all those polled said they only change their work password two times or fewer a year and 15% would consider selling their workplace passwords to a third party.

In terms of frictions between the IT department and the rest of the workforce, more than half of respondents considered IT to be “a source of inconvenience,” whilst 13% would not immediately inform IT if they had been hacked.

Furthermore, SailPoint’s research suggested that new technologies are creating new areas of risk for organizations. Nearly half (48%) of respondents use or are planning to use AI chatbots/personal assistants at work, and 31% had deployed software without IT’s help.

Speaking to Infosecurity Bruce Hallas, security awareness, behavior and culture expert, and owner & principal consultant, Marmalade Box, said that password management is probably one of the security policies that employees receive consistent training on, so when 75% of employees reuse passwords across personal and professional accounts it raises questions about the effectiveness of current awareness raising and behavior improvement methods.

“Where organizations rely on employees to remember and then change their password periodically in line with policy, without a system prompt, you’re statistically likely to a high level of non-compliance,” he added.

“If 23% of respondents change their passwords twice or fewer times a year, but this is in line with their organizational policy, then that’s fine, but probably not ideal. If the 23% are in breach of their organization’s password policy then you’ve got to focus on why those behaviors prevail. A simple starting point might be [to ask] ‘do they even remember the policy’ after they’ve had their training.”

Juliette Rizkallah, CMO, SailPoint advised: “By taking an identity-centric approach to security, IT can gain full visibility and control into which applications and data that users, including both human and non-human bots, are accessing to do their jobs. This approach allows enterprises of all sizes to confidently address the tension between enablement and security exposed in our Market Pulse Survey.”