Passwords For Sale: Employees Would Sell Their Work Credentials for Next to Nothing

Whether you know it or not, your business has a serious security problem. The cause has nothing to do with malware or state-sponsored cyber attacks—it has to do with your employees and the way they view their relationship with the data you trust them with each day.

There’s a stunning disconnect between the way your employees’ value and protect their organization’s data and their personal data, which goes a long way towards explaining why so many employees use poor password practices that put organizations in harm’s way.

Some employees do not understand the true value of your organization’s data

A major factor contributing to this disconnect are employees who do not understand the true value of your organization’s data. Every day, your employees are using the same passwords to protect multiple accounts, uploading important documents to unapproved third-party cloud storage platforms, and connecting work devices to insecure public Wi-Fi networks without recognizing how valuable an Excel sheet or an email password can be to hackers.

Last year, IBM and the Ponemon Institute calculated the average total cost of a data breach in 2016 to be $4 million and the average cost of a stolen or compromised record is valued at $158—putting the cost of just 100 stolen records at $15,800.

Keep in mind that this is just the cost associated with the initial breach. When you begin to discuss the recovery process, things like notification costs (you will likely be required to notify those affected that their information has been stolen), detection and escalation costs, post-breach response costs and repudiation losses, you could be looking at a total consolidated price tag of about $7.01 million for a data breach.

Yet to the average employee, none of these costs exist at all. A recent survey revealed that 22 percent of employees either don’t believe that data breaches incur dramatic costs to an organization, or are “not sure” that they exist at all. To employees, data breaches are things that they read about online or in the newspaper–not events that have a direct impact on their actual lives.

The truth is: data breaches do happen every day and your employees may be playing a much more active role at putting your business at risk than you might think.

Employees are apathetic towards your company’s data

Even if you assume your employees understand the true cost of your company’s data, another 32 percent are either unaware or unsure about the potential impact a potential data breach can have on a business, like privacy violations, civil lawsuits, damage to a business’ reputation, and other issues.

In contrast, studies show that employees are aware of and concerned about the ramifications when their personal data is exposed by a company they do business with. For instance, a 2016 SailPoint survey found that only 32 percent of respondents have been impacted by a data breach recently, but an incredible 85 percent said they would react (largely negatively) to a company who has been breached, including discontinuing business with them.

While employees understand what a data breach is, why they are dangerous, and what could happen when they become victims of a data breach, they pay little attention to the severe ramifications a data breach could have on their employers. In other words, their personal data is precious–it’s something that they hold at a premium. Their company’s data, on the other hand? Not so much.

This employee apathy towards your company’s data fuels the most dangerous insider threat you haven’t prepared for.

Workers are willing to trade their credentials for cash

No matter how fortified your security infrastructure is, a disgruntled ex-manager, a greedy contractor, a frustrated developer, or an entry-level staffer strapped for cash can easily jeopardize the future of your company for as little as $1000.

In a recent survey, an unfortunate one in every seven employees said they would be willing to risk the catastrophic effects of a data breach for a small amount of money. 14 percent of European employees said that they would be interested in selling their work login credentials to an outsider for as little as £200. A separate survey found 40 percent of United States employees, 56 percent of United Kingdom employees and 50 percent of French employees said that they would be willing to hand over whatever credentials someone wanted for as little as $1,000. Put into a larger perspective, for just $1,000, a rogue employee could wind up costing your business $7.01 million worth of damage and a lifetime of anguish in terms of reputation and customer relations.

Why would your employees trade credentials for cash? According to Verizon’s 2016 Data Breach Investigations Report, 34 percent of insider misuse incidents were motivated by financial gain, followed by espionage (25 percent).

“The first step to recovery is admitting that you have a problem”

As the saying goes, “the first step to recovery is admitting that you have a problem.” The first step towards bridging the disconnect between the way employees view their personal data and their apathy towards their organization’s data is thorough and ongoing employee education. Employee education is incredibly powerful in terms of not only fixing loopholes left open by those who might be willing to sell their credentials, but also in terms of combating poor password habits and common user errors at the same time.

For employees who may be willing to “go rogue” and sell their credentials to anyone–you’ll need to take a decidedly more sophisticated approach.

First, you’ll need to take action to make all data “personal” to employees. That means emphasizing the connection between an employee’s personal accounts and their corporate ones and make it clear that properly managing that connection needs to be one of their highest priorities. Present real life examples to underscore this point; take, for instance, the 2012 Dropbox data breach in which hackers compromised more than 68 million user accounts by using an employee’s hacked password stolen from another data breach.  

Secondly, you need to dedicate more time and resources into access and credential management. Business owners and IT managers need to continually monitor and log endpoint activities for every employee, regardless of job title. You should know what files and networks they have access to, what devices they’re using to connect to your internet network and verify if they are using third-party applications to store or manage work-related data. Be proactive by making sure administrative credentials are provisioned properly, and that procedures for proper onboarding and offboarding are established and followed.

If you don’t have the funds or resources to build out a full-scale IT department, consider investing in a team password manager for centralized access and credential management.

Team password managers safeguard your company’s data from several internal threats, including poor password habits to rogue employees attempting to sell their credentials.

For starters, team password managers give every employee the ability to store both work-related and personal credentials in an encrypted, centralized vault. This eliminates the needs for employees to create and use weak passwords for online accounts, and share passwords on sticky notes, over email, or store them in a Word or Excel document.

Secondly, team password managers give you the ability to control access to work-related accounts based on roles within your company. This will make sure that your employees will still have access to passwords that are pertinent to their role and position instead of having access to all passwords not required for their job function.

Most importantly, team password managers provide you with a centralized admin console with the ability to monitor password health and strength on an employee-by-employee basis without infringing on their privacy. It also allows you to establish and enforce policies on access and password security policies among individuals and teams. For instance, you can restrict password sharing among teams and individuals, making it harder for someone to sell their credentials to a third party.

Employees are an important part of your business, but they’re also a very real liability in terms of cyber security. Whether you’re worried about employees who just don’t take cyber security seriously or are wondering if they’re willing to sell you out for a decidedly small amount of money, ongoing education and investing in monitoring your company’s access and password management are the best ways to make sure you get to enjoy all of the benefits of the digital age with as few of the downsides as possible.

If you’re ready to solve your security problem, Dashlane Business is ready to help. Our password manager for business is trusted by 6,000+ companies to create, enforce, and track effective access management, and features the only patented security architecture in the industry. Dashlane Business begins at $2/user per month and scales by volume, with custom setup options available for enterprising licensing. The company’s consumer product is used by 6 million people worldwide. Try it free for 30 days!