Corporate passwords for sale, $150 OBO. That, apparently, is how little some employees may take in exchange for compromising their company's security.
SailPoint's Market Pulse Survey, compiled from responses from 1000 workers from large companies with at least 3000 employees, offers vivid examples of how easily one person can create a lot of risk--and why passwords alone are simply inadequate.
Here are some highlights:
- 1 in 7 employees would sell a corporate password for as little as $US150.
- 56 per cent of those surveyed admit to reusing passwords across corporate applications they access.
- 14 per cent of those surveyed claim to use the same password for every application.
- One in five of the survey participants routinely share login credentials with other members of their team.
The reuse of passwords is particularly alarming. "Employees may have moved away from the post-it note password list, but using the same password across personal and work applications exposes the company," said Kevin Cunningham, president and founder of SailPoint, in a statement.
Sharing passwords with other coworkers is probably seen as a friendly or expedient thing to do. Unfortunately, it makes it much more difficult to contain or enforce password security, or to trace the source of a breach or compromise.
Lax at work, worried at home
While many of the employees surveyed apparently were lax about corporate security, they were cautious about their personal online security. Twenty per cent of those surveyed said they'd been the victim of a data breach. Ironically, the same proportion (20 per cent) said they'd stop doing business with a company that put their data at risk- like maybe their company?- and fully half said they'd tell their friends and family to do the same.
Even on a personal level, individuals routinely make dumb choices when it comes to password security. A recent segment on Jimmy Kimmel Live illustrated exactly why password security is inadequate: People on the street were willing to share information about their passwords related to how they come up with them. One couple revealed they use the name of a pet combined with a memorable date.
The people interviewed didn't blatantly share their passwords, but by sharing relevant details on national television they put themselves at risk. It is not difficult to find out what the name of the person's pet, and then it's just a matter of identifying dates that might be significant, like birthdays or anniversaries.
I hope you wouldn't sell your corporate password to the highest bidder or give hints to help people crack your password. Even if you follow solid password security practices, though, passwords alone are still inherently insecure.
That's why two-factor authentication makes sense. You just have to find the right balance between ensuring your accounts and data are secure, without making access so difficult that it's impractical and unreasonably inconvenient.