Employees have no qualms over selling corporate passwords
7 April 2015 | 0
Plenty of people are careless with their own personal passwords — using the same one for multiple sites, and/or making them so simple that they are comically easy to crack — but hardly anyone would intentionally sell them for a few bucks to someone they know would use them to do them harm.
Apparently, however, some of them do not have those qualms about selling corporate passwords. A recent global survey of 1,000 employees at large (more than 3,000 workers) organisations, commissioned by vendor SailPoint, found that one in seven would sell their password to an outsider for as little as $150 (€137).
This is not a new problem, however. And $150 is, relatively speaking, big bucks. A 2012 survey conducted in the UK found that almost half of the respondents would sell their corporate passwords for less than £5 (€6.81), while 30% would sell them for just £1 (€1.36).
“An account may provide a doorway that can be used as a staging ground to gain access to more sensitive data via privilege escalation”
It also does not surprise people like Christopher Frenz, a faculty member at New York City College of Technology, who said, “other research groups were able to get people to reveal their passwords for something as small as a chocolate bar.”
But, Frenz added that it is important to know how rigorous such research is. “These surveys tend to interview people who self-select themselves for participation, so they’re not a representative cross section,” he said. “They (the surveys) often lack proper controls, and do not typically try to verify if the user is actually revealing a real password. It makes you wonder how many people just make up a password on the spot for the free chocolate or the few dollars?”
Still, even if the actual percentage is smaller than the surveys found, it is enough to blow a major hole in any company’s data security.
“Human beings are fallible, and this sort of issue is a real problem,” said Muddu Sudhakar, CEO of Caspida, recalling headlines in January about a Morgan Stanley financial adviser who was fired after he allegedly stole account information from about 350,000 wealth management clients and posted the information of 900 online.
In that case, the leaked information reportedly included names and account numbers but not passwords. But it clearly illustrates that insiders offering sensitive corporate information for sale can indeed be “a real problem.”
One obvious question is why even a minority of workers would risk losing their jobs, and therefore not just their immediate livelihood but also their entire career, for just a few bucks?
Joseph Loomis, founder and CEO of CyberSponse, said employee loyalty should not be assumed. “How many employees do you know who truly care about the organisation where they work?” he said. “Excluding some of the top organisations in the marketplace, employee morale or care is always a concern for triggering insider threats.”
Sudhakar said he suspects workers know that if their personal passwords were compromised, the consequences would be certain and severe, while they might view a corporate password as, “someone else’s problem or think there might not be a consequence to misusing it.”
Frenz said some workers might not realise how important their corporate passwords are. “This is particularly true if the data they handle at work would not normally be considered sensitive,” he said, “as they likely fail to grasp that their account may provide a doorway that can be used as a staging ground to gain access to more sensitive data via privilege escalation and like methods.”