LastPass 2021

© 2020, LogMeIn, Inc. | CONFIDENTIAL – FOR INTERNAL USE ONLY
Name
Role
Vertical
Name
Role
Vertical
Name
Role
Vertical

Unlocking the Global Modern Remote Workforce
Unified
Communications
and Collaboration
28M
monthly users
535K
collaboration solution
subscribers
Customer
Engagement
and Support
1B
customer interactions
55K+
customers worldwide
Identity
and Access
Management
25M+
users worldwide
rely on LastPass
500+
annual connections for
IT managers with Central
2

LogMeIn’s Security and Trust Program
3
As a global company with customers in nearly every country around the world,
protecting the personal and confidential data of our customers and their
end users is one of our top priorities.
Dedicated Chief Information
Security Officer (CISO) and
Global Security Team
Full Coverage Across LogMeIn
Product Portfolio and
Internal Infrastructure
24x7 Computer Security
Incident Response and
Threat Intelligence Team
Multiple Leading Third-party
Security Compliance and
Privacy Certifications
01 02
03 04

We Help Government Customers in ANZ
4

We Help Technology Customers
5

We Help Financial Service Customers in ANZ
6

We Help Healthcare Customers
7

We Help Education Customers
8

So Why
Password
Management?

1
What People Say
91%
Users know using the
same or a variation of the same
password is a risk. 66%
However, while creating passwords 66% of
respondents always or mostly use the same
password or a variation. This is up by 8% from
our findings in 2018.
80%
Users agree that having their
passwords compromised is something
they're concerned about. 48%
Yet 48% of them said if it's not required, they
never change their password - which is up by
40% from 2018.
77%
Users state that they are informed
of password protection and best
practices.
54% However 54% of them keep track of passwords
by memorizing them.
Source - Psychology of Passwords: The Online Behavior That’s Putting You at Risk
What People Do

1

1
67% of Breaches are Caused by Re-used,
Weak, or Compromised Passwords*
Password Policy
During this engagement, the red team
compromised four privileged service
accounts due to the use of weak
passwords which could be quickly brute-
forced. FireEye recommends that
customers enforce strong password
practices for all accounts. Customers are
advised to enforce a minimum of 20-
character passwords for service accounts.
When possible, customers should also use
Microsoft Managed Service Accounts
(MSAs) or enterprise password vaulting
solutions to manage privileged users.
Cyber Incident Breaches
The majority of cyber incidents during
the reporting period of January to June
2020 were linked to malicious actors
gaining access to accounts, either
through phishing attacks or by using
compromised account details
(compromised credentials, 133
notifications), ransomware attack (33
notifications), and hacking (29
notifications).

1
67% Credentials Epidemic
Chart 1.7 — Cyber incident breakdown — All sectors
Malicious or Criminal Attack Notifications
Phishing (compromised credentials)
133
Brute-force attack (compromised credentials)
Compromised or stolen credentials (method unknown)
Ransomware 33
Hacking 29
Chart 1.7 is a pie chart that breaks down the kinds of data breaches identified as 'malicious or
criminal attack — cyber incident’ between January and June 2020 by percentage. In order
displayed:
Credit: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-january-june-2020/.

Hackers aren’t Hacking in. They’re Logging in.
14
73
27
0 10 20 30 40 50 60 70 80
External
Internal
APAC
172
498
204
54
1088
158
131
320.5
262
18
0 200 400 600 800 1000 1200
2016
2017
2018
2019
APAC
MEDIAN
DWELL
TIME
Notifications
All
External
Internal

There’s a Gap
MFA/2FA
PAM
MFA/2FA
SSO

A Look at the IAM Stack
16
User Directory
USERS ADMINS
Enterprise cloud apps Servers Databases Devices
Cloud apps Shared creds
MFA SSO
Enterprise Password
Management
Privileged Access
Management

Why
are Companies
Implementing
LastPass?

Security Landscape
18
Alignment to NIST
and CP234, GDPR,
and Privacy Act,
ISO27001, ASD
Essential Eight, PCI
DSS
Password management is an
agenda, that is part of their
security audit
Threats are now more
focused on executives
Rise of Phishing/Spear
Phishing – 350% increase
during COVID
Move away from focusing on
Security Technology to ‘People
and Process’
Dedicated Security
Awareness Programs
01 02 03 04 05 06

Improve user
experience and
promote best
practices
Drivers for Deploying a Password Manager
19
Provide the
Cybersecurity
Team with ‘visibility’ of
the overall
password hygiene
Alignment to
NZISM/CP234/ISO2701/
ASD Essential Eight
Reduce the potential
for account
compromise

• Password-less authentication for
seamless authentication
• Consolidated identity framework
• Eliminating weak and re-used
password risks associated to
human behavior (Notes, MS excel,
One note, MS Word)
• Improving password controls and
password policy enforcement
across the entire credentials
landscape (every user)
• Reducing the existing risks
associated to the credentials gap
left between SSO, PAM, and all
other password requirements
• Reducing the success rate of
phishing attacks across all
business functions:
• LastPass avoids presentation
of credentials to a site that is
not contained within the
Password Vault. So even if a
user clicks on a link, the
credentials won't be
presented
• Improving password controls or
password policy enforcement:
• Inside out – where your
organization poses the risk to
your clients, partners, and
suppliers
• Outside in – where clients,
partners, suppliers, and
contractors’ poor controls pose
risk to your organization
• Improved reporting posture for
audit and compliance purposes
• Identification of users or groups
of users, where poor password
practices and reuse place the
organization at greater risk of a
successful cyber penetration
• Ability to implement stronger
policies and governance around
password controls
Shrinking the credential risk surface
across the entire organizational
landscape
Reducing successful
phishing attempts
(related to credential theft)
Reducing third-party
risks
Strengthen regulatory
and compliance position
What are Customers Achieving with LastPass
20

Case Studies

22
Government
“Wellington City Council adopted LastPass across IT and wider businesses such as the
Comms team. LastPass provided the ability for IT to secure systems, increase password
compliance, and reduce reuse – which was discovered through reporting (that was a
total surprise).
WCC must share passwords with vendors for delivery of services and until we establish
B2B via our IDP, we can share passwords confidently with vendors and
monitor the activity.
Our social media teams have found it especially useful for sharing and managing access
to social media accounts when their social media site doesn’t support SAML.
We use MFA on all LastPass activities for users and admins, and the separation of admin
and user portal is especially useful for privilege access management when you are both
the user and administrator.
I’ve implemented LastPass in two organizations and while they are vastly different in IT
capabilities, it has always moved the organization towards a positive change for
management secrets and passwords.”
Jannie Muller
Information and Data Architect

Government
23
With the aim of improving security across the organization, Lockyer Valley Regional Council engaged
an external auditor to identify risk factors and potential cyber security threats. They were aware
that the practices of the general staff weren’t particularly good when it came to storing credentials.
Many helpdesk tickets were being raised to get account credentials reset due to credentials being
shared between staff members. The ICT team was using a tool to manage their credentials, but this
could not scale to cover accounting, consultants, office workers, and other departments as it was
too technical.
Challenge:
Results:
There is a significant reduction in calls and
tickets to the Helpdesk for login credential
resets, given they have almost 80%
adoption rate.
The security team uses the admin center to
gain better insights to the security posture
of the organization and they use the
policies to help encourage the right
behavior with staff.
“Your team excelled at showing us the
value of the LastPass suite, which made it
easy to sell internally.”
Anjana Ranatunge
Coordinator ICT Projects and Business
Operations, Lockyer Valley Regional Council

24
As an expanding organization working nationwide to effect change, Code.org began to experience
growing pains. In addition to staff turnover, as the organization changed and expanded, so did the
needs of the staff and the number of technology tools in use.
The entire team needed quick, flexible access to numerous accounts and tools they use to organize
teacher training workshops, service students, and grow the organization. But more importantly, they
needed to address the security concerns that were raised in regards to passwords.
Code.org
Technology
Challenge:
Results:
After deploying the LastPass Enterprise,
Code.org saw immediate benefits in
the on-boarding and off-boarding processes
for employees. LastPass helped Code.org
alleviate growing pains by providing
increased collaboration among teams and
heightened organizational security.
Admins maintained control over all company
passwords and re-assigned them to the
necessary team members, while departing
employee accounts could be deactivated in real time.
“LastPass helped us alleviate our
growing pains by providing increased
organizational security.”
Michelle Page
VP of Finance and Administration,
Code.org

Healthcare
25
Ob Hospitalist Group is the largest and only dedicated OB/GYN provider and has been the leader in
quality and safety of women's healthcare since 2006. OB Hospitalist Group leveraged LastPass to help
power remote work, as the pandemic unfolded OB had to lift and shift their workforce from desktops
to laptops to ensure business continuity.
One of the key risks of moving staff to remote work was maintaining productivity and ensuring this continuity.
Challenge:
Results:
By using LastPass, OB was able to ensure
secure password automation and by not
knowing the passwords at all made the
business more secure.
LastPass removed the friction of the need
to create and remember passwords going
forward, helping staff productivity,
ensuring business continuity, and keeping
all the staff digitally secure at work.

Education
26
Using the same or similar password for each login because it’s easy to remember and keeping a record of
different login details in an Excel spreadsheet or similar, is a high-risk behavior that makes stealing
credentials rewarding for hackers.
This is comparable to what Deakin University uncovered; staff were not using secure methods to store and
share sensitive and secret information. For example, some staff were keeping Personally Identifiable
Information (PII), including credit card numbers and passport details in spreadsheets saved on a
shared drive.
Challenge:
Results
Deakin deployed the
LastPass Enterprise across
the entire university,
including students.
“We’ve seen massive benefits. When you have a developer
on the team leave the organization, we no longer need to
reset all the passwords that they may have had access to.
Now, we can share credentials with developers without
revealing them via LastPass. Your security is as good as
your weakest link. We made the conscious decision that
we’re going to educate our staff and students as we
transition them to using a password manager, so that they
know how to use it and use it for every site they visit”
Sattiraju

Financial Services
27
Representing around 100 insurance providers to service their clients, Anderson Insurance Associates
has to track hundreds of accounts and passwords to keep operations running smoothly. Logging
employees into those accounts quickly and with minimal interruption to their workflow, is essential
for the team’s success.
Mandatory password resets every month or quarter further slowed down the team, with frequent
account lockouts due to password confusion.
Challenge:
Results:
Employees can now quickly change passwords when they
have a mandatory password reset and don’t have to worry
about remembering that password, which has significantly
reduced the burden on IT. The IT team is able to enforce
the company’s password policies and has direct insight into
the company’s password security at all levels.
LastPass Enterprise also automates routine IT tasks, like
onboarding and off boarding users, as well as shared
account provisioning and password resets without
interrupting employees.
“With passwords changing
monthly or quarterly, accounts
would get locked after too
many incorrect tries. Then we’d
have to go in to help the
employee and it’d be a 45-
minute call with an insurance
company to reset it. It was just
a major inefficiency.”
Ryan Moniz
Director of IT, Anderson
Insurance Associates

LastPass
Demonstration
https://lastpass.com/create-account.php

Summary and Next Steps
29
Passwords aren’t going anywhere
and human behavior needs to change.
They’re still the leading cause of data breaches
and need to be properly managed.
Reach out to LastPass to discuss further applications to
your agency, council, or company.
• XXXXXX– XXXXXXXX@logmein.com
• XXXXXXX– XXXXXXX@logmein.com

Thank You

LastPass 2021

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to LastPass 2021

Similar to LastPass 2021 (20)

Recently uploaded

Recently uploaded (20)

LastPass 2021

Editor's Notes