Passwords: Sharing, reusing, or selling them -- which are you guilty of?

Growing negligence around passwords in the workplace could play straight into the hands of hackers.
Written by Danny Palmer, Senior Writer
password encryption

Twenty percent of employees said they'd be willing to sell corporate login credentials to outsiders.

Image: Shutterstock

Employees are sloppy when it comes to handling passwords, cheerfully sharing them with co-workers, using a single password across multiple applications, and even claiming to be willing to sell them to an outsider.

That's according to a new report by identity management and access firm SailPoint, which warns that it isn't just cybercriminals and hackers from outside an organisation's perimeter whose actions could result in massive data leaks, but that insiders could cause harm as well, whether intentionally or not.

Even if employees aren't sharing information outside of the company, they're still potentially putting data at risk, as almost one in three are willing to share passwords with their co-workers.

Those willing to share their passwords might be giving away more than they realise, as two thirds of respondents revealed that they use the same password for multiple applications, making unauthorised access much easier.

Of those who claim they'd be willing to sell their password, 44 percent would do it for less than $1,000 and some would even potentially jeopardise the security of their organisation in this way for under $100.

"Considering the average organization size for the corporations from which our respondents are employed is about 50,000, that means it's possible that 10,000 users at any of those enterprises would sell their password, and 4,400 sell theirs for less than $1,000," the report warns.

SailPoint says malicious actors often target employees because they represent the easiest way of getting past an organisation's cyber defences.

"The commonality across almost every breach is hackers are now targeting the weakest link in the security infrastructure: people. The reason? The digital identity of an individual user is the key that unlocks corporate data and applications," the report warns.

Because of this, says Kevin Cunningham, president and founder of SailPoint, it's vital that organisations -- and IT departments in particular -- have a firm grasp on IT controls and security policies and ensure that employees "understand the implications of how they adhere to those policies".

Why? Because "it only takes one entry point out of hundreds of millions in a single enterprise for a hacker to gain access and cause a lot of damage," says Cunningham.

It isn't just by handing passwords to co-workers or outsiders that employees are putting personal data at risk. The SailPoint survey found that one-quarter of employees admitted to uploading sensitive information to cloud applications with the specific intent to share that data outside the company, often when they're approaching the end of their time at the organisation.

Of that one-quarter, 70 percent said they shared sensitive data on a regular basis. This behaviour, SailPoint suggests, is creating a future which "could be scarier than we once imagined" due to organisations being unaware that sensitive information has been released into the wild.

Ultimately, the report concludes, passwords, login credentials, and other forms of identity are often "the only thing standing between an organization and the next significant data breach".

The 2016 SailPoint Market Pulse Survey was conducted by independent research firm Vanson Bourne. They interviewed 1,000 office workers at private organizations with at least 1,000 employees across Australia, France, Germany, the Netherlands, the UK, and the US.

Read more on cybersecurity

Editorial standards