Despite spending on cybersecurity expected to reach an all-time high in 2019, exceeding $124bn according to Gartner, the majority of organisations are still vulnerable to basic cyber exploits, a recent study has found.

While the scale and complexity of cyberattacks is growing, cybersecurity company Preempt has found that some 97% of organisations weren’t adequately protected against common hacking techniques such as brute force password attacks and compromised credentials.

“While cybersecurity spending is at all-time highs, our research finds the vast majority of organisations are vulnerable to hacking via brute force password attacks, compromised user credentials, and other common tactics,” said Ajit Sancheti, co-founder and CEO of Preempt.

The study found that 32% of enterprises have exposed passwords in their Active Directory Group Policy Preferences, a set of extensions that set the settings and privileges of the group of users accessing a network. This means that hackers with access to the network are able to fetch and decrypt stored passwords.

Likewise, it was also found that 72% of networks had “stealthy admin” accounts. These are user accounts with special privileges but are often overlooked. This makes them a valuable asset for hackers hoping to escape detection for as long as possible.

It was found that just 5% of enterprise networks had strong password policies. The majority (72%) had medium password. However, worrying, 23% had password policies deemed “very weak” by Preempt. Policies that required a password of seven characters or less with little complexity were deemed weak. According to the company, the weaker the policy, the more likely employees were to have equally as weak passwords, which could expose the organisation to cyberattacks.

“Compromised credentials were responsible for 81% of hacking related breaches last year, and our research suggests this will potentially worsen unless enterprises prioritise password best practices, as well as visibility and control around privileged users,” Sancheti said.

Preempt’s data is based on statistics collected through its Inspector app, through which organisations can choose to provide anonymous security data for the company to analyse.

Which organisations are most vulnerable?

While Kanye West, the Pentagon and Nutella were recently found to be the worst password offenders of 2018, Preempt’s research more broadly found that small organisations were most as risk of falling victim to cybercrime.

The study found that the larger the organisation, the harder it was to breach employees’ credentials. The cybersecurity specialists were able to crack almost 17% of passwords in small organisations, but just 9% of passwords in large organisations.

It also found that organisations based in the United States and Europe – home to many of the large organisations that have suffered many of the biggest data breaches in history of late – were generally better protected against credential theft.

Preempt were able to crack the passwords of just 6.3% of employees, compared to 12% in Europe and 18% in the rest of the world.