Passwords: Workers say they will hand them over for next to nothing

One in seven employees would risk a data breach for a small amount of money.
Written by Danny Palmer, Senior Writer
Login screen

Login credentials aren't worth much to some.

Image: iStock

A cyberattack could cost an organisation millions, but an employee within your company might be willing to give an outsider access to sensitive information via their login credentials for under £200.

According to a report examining insider threats by Forcepoint, 14 percent of European employees claimed they would sell their work login credentials to an outsider for £200. And the researchers found that, of those who'd sell their credentials to an outsider, nearly half would do it for less.

This willingness to sell on information likely stems from a lack of understanding about the true value of data - and the damage it can do to both organisations and individuals if it falls into the wrong hands.

According to the Forcepoint figures, 22 percent of employees don't believe or are unsure if data breaches incur a cost to the organisation, while 32 percent are unaware or unsure about the potential consequences of a breach.

But those consequences can include potentially millions being stolen, additional financial costs associated with investigating and fixing the cybersecurity breach and loss of revenue due to customers staying away because of the reputational damage.

All of these could potentially combine to bring a business down entirely - therefore making the insider threat something which organisations should take care of managing.

"Research has consistently shown that breaches caused by employees are among the most damaging around in terms of their financial and reputational impact," says Mike Smart, product and solutions director at Forcepoint.

"Organisations that ignore the potential security risks that can be caused by employees and other insiders miss an opportunity to strengthen their security posture and protect their companies more broadly"

Employee education could go a long way to fixing the holes left open by employees who are potentially willing to sell credentials for money.

It's also worth noting that staff foolish enough to sell passwords may be putting themselves at risk too, especially if they've used that very same weak corporate password across multiple personal accounts - their social media, their emails, even their online banking and shopping accounts could potentially be compromised by hackers simply using the password to gain access.

In order to do this, employers must take action to make data personal, ensuring that employees know that there's a connection between their corporate and personal accounts and that that connection needs to be managed.

"If you're using that same password or those same credentials for your personal data, you're basically harming yourself as well," says Moyn Uddin, chief cyber risk officer at Cyber Counsel, a consultancy specialising in data protection and privacy.

"We should be focusing on awareness, getting employees to take ownership for their actions and that's where the key is," he adds.

The report is based on a Forcepoint commissioned independent survey of over 4,000 office workers across the UK, France, Germany and Italy - on attitudes toward data protection and insider threats.


Editorial standards