Cloud storage tools, social networks, and chat apps have improved our work and personal lives; allowing real-time connectivity and electronic file sharing from your computer, tablet, or phone. These capabilities have effectively changed the way individuals and businesses operate by encouraging collaboration, storing and sharing data, and improving communication.
However, with the benefits of connectivity come the risks of security issues and data breaches–for both organizations and their employees. Organizations are quickly recognizing the importance of consumer-style apps in improving employee satisfaction and productivity, but insecure apps and tools, unsafe password sharing among colleagues, and poor passwords habits used both at home and work expose new vulnerabilities and insider threats.
Consumer-friendly apps and tools aren’t as secure as you might think
The apps you use on personal/work smartphones, third-party cloud storage websites, real-time chat apps, and social media websites may not be taking the proper precautions to keep your information safe online.
Some consumer-friendly websites and apps are security risks because they don’t encrypt passwords or messages during transmission; others lack the internal security infrastructure needed to keep an organization’s information secure. The most terrifying fact is that a majority of popular websites and apps are plagued with poor password policies. In a recent Dashlane Security Roundup, we found:
- 80 percent of sites did not meet the minimum secure password threshold.
- 72 percent of sites do not require passwords with a capital letter and a number or symbol.
- 32 percent of sites accept the ten most common passwords, including “password”.
Although convenient, sharing passwords with colleagues can jeopardize your entire company
While the websites and apps we use have considerable room for improvement, fallible human beings are the weakest link in any organization’s security infrastructure. Employees—even those with the best of intentions–endanger an organization’s security infrastructure by transferring the poor password security habits they use at home on their personal devices into the workplace.
One source of poor password practices is password sharing between colleagues and teams within an organization. It is typically necessary to share credentials to a social network, an analytics platform, or a cloud storage account; however, employees often resort to sharing credentials impulsively via email, text message, internal chat apps, Word or Excel documents, or Post-it notes.
Workers at U.S. General Services Administration learned about the consequences of password sharing the hard way with an internal data breach involving Slack and Google Drive in March, and similarly, Teamviewer–a PC remote control/remote access software–suffered a serious data breach at the beginning of June.
Your colleagues are bringing the risky habit of password reuse into the workplace
Employees often reuse passwords from their personal lives to also protect their work accounts; those passwords are often weak and meet the bare minimum password requirements. By reusing the same password on multiple accounts, you and your colleagues face an even greater risk of compromising multiple personal and work accounts during a data breach.
Password reuse has the potential of producing catastrophic results. For instance, in 2012, a Dropbox employee’s reused personal password was stolen, allowing hackers access to a database containing end-user information. The issues at Dropbox returned this year when Dropbox accounts–both business and personal–were put at risk yet again due to rampant password reuse. Passwords and logins used for many Dropbox accounts were the same as those leaked during the mega data breaches of Tumblr, LinkedIn, and MySpace.
The security risks associated with password reuse are amplified when employees use the same device at home and at work. “Bring Your Own Devices” (BYOD) have a higher chance of contracting malware or viruses, and local data could easily be exposed if connected to public Wi-Fi networks. Without formal regulations and comprehensive cyber security education efforts from organizations, employees are more likely to transfer bad password practices and external cyber security threats from their home into the office.
So what’s at stake for you and your company?
There are two significant ways you, your colleagues, and your entire company could be affected by a cyber attack:
A cyber attack could compromise your personal and work-related devices and online accounts.
Unfortunately, as data breaches occur more frequently, so do the chances of employees becoming directly impacted. A recent SailPoint survey found that an average of 32 percent of respondents (employees) have been personally affected by a recent data breach–that number jumps to 44 percent specifically for personnel in U.S. organizations.
Losing private data for any individual can be catastrophic on a personal level, with potential for hacked bank and investment accounts, social media accounts, tax records, or anything else someone accesses from a desktop or mobile device, whether personal or company-issued.
A cyber attack could cause irreparable financial damage to a business.
For businesses, the stakes are even higher. Employee and client information, trade secrets, and other non-public information are potentially at risk when a corporate network is breached. Those records are extremely profitable for financially-motivated cyber criminals. A 2016 study by IBM and the Ponemon Institute found that a single breached file costs an average of $158, and specifically, $221 for U.S. organizations.
Organizations could also pay up big time for various recovery expenses during and after a data breach. The IBM/Ponemon study found that organizations could lose an average of $4 million in a data breach–that number skyrockets to more than $7 million for U.S. organizations. Companies that fall victim to hackers could become financially crippled by detection, escalation, and notification costs, post-data breach recovery expenses (i.e. special investigations, legal fees, etc.), customer churn and reputation losses–which could cause irreversible damage.
Three simple ways to instantly protect yourself, your co-workers, and your company
Today, it’s not a question of “if” a security breach is going to occur–it’s “when” it will occur. Here are three easy preventative measures your can take to mitigate the risk of you and your company becoming the next victim of a security breach:
- Use strong, unique passwords for work and personal accounts. In another recent blog post, we noted that “123456” is the most popular stolen password in the Yahoo breach, followed by “password”, “welcome”, and “ninja”. Start using strong, unique passwords for both you work and personal online accounts. For tips on how to create complex passwords, check out this helpful resource on our blog.
- Use a password manager. Consider using a password manager, especially on BYOD devices if permissible. Password managers eliminate bad password habits at work and at home by securing and encrypting all of your passwords and stored data, automatically logging you into numerous websites and mobile apps, and automatically filling out online forms with ease. There are also password managers your entire organization can use, like Dashlane Business! Dashlane Business makes it easy for your company to measure and improve password health–without compromising your privacy.
- Enable two-factor authentication. Adding two-factor authentication (2FA) to the sign-in process is far more secure than simply requiring a password. By adding an extra “factor” before accessing a system, it is highly unlikely that a hacker could gain access to your data with just a stolen login ID and password.
One last tip: Don’t wait for a data breach to occur to begin protecting yourself and your company. Download our free whitepaper to learn about the best cybersecurity practices that will protect you and the future of your company from various cyber threats.