Polsinelli at Work |  Labor & Employment Blog

Employers, whether large or small, face an ever-growing web of workplace regulations and potential entanglements with employees. With employment litigation and advocacy experience as our strength, preventing legal problems from arising is our goal. Our Labor & Employment attorneys advise management on complex employee relations and workplace issues. 20 offices; 800+ attorneys. 

PolsinelliAtWork.com was recently recognized as one of the top employment blogs in the nation by Feedspot.
 


When Employees Market Passwords for Profit: Four Business Security Challenges and Strategies to Combat Them

By Jay M. Dade

Employees are developing a new, alternative income market, and it poses a direct security threat to employers. A recent Sailpoint survey found 20% of employees, or 1 in every 5, would sell their work-related passwords to an outsider. This is up from 1 in 7 a year ago.

SailPoint, an identity and access management provider, surveyed 1,000 private office workers and found, among those willing to sell their company passwords, a striking 44% would sell for less than $1,000. Another IT and security challenge for employers: 26% admitted to uploading sensitive information to cloud apps with the specific intent to share data outside their companies.

The troublesome news doesn’t stop there: 65% admitted using a single password among applications, and 33% reportedly shared passwords with co-workers. One-third of respondents admitted to purchasing subscription-based, on-demand software for company computers without their IT department’s knowledge. Finally, brace yourselves employers; more than 40% reported having access to a former employers’ corporate accounts.

These, and other, security challenges keep employer IT managers awake at night and can cause some to break out in cold sweats. So, how can employers fight back? Let’s review four employer security challenges, and strategies to combat them.

Challenge No. 1: The Disgruntled Employee

Mass and business media are ripe with reports of internal attacks creating risks to companies’ data and IT systems. So-called “rogue” employees – particularly IT employees – who possess insider knowledge of, and access to, employer computer networks, data centers, server farms and administrator accounts can, without question, wreak havoc on an employer’s computer resources and networks. 

Strategy: Foremost, identify all privileged accounts and credentials. Immediately terminate those no longer in use or affiliated with former employees. Secondarily, closely monitor, control and manage privileged log-in/access credentials to prevent exploitation. Employers should also implement necessary protocols and infrastructure to track, log and record privileged account activity as well as create alerts to allow for rapid response to any suspected malicious or unauthorized activity and quickly mitigate potential damage.

Challenge No. 2: The Careless or Under-Informed Employee

An employee who jumps out of an Uber or taxi and forgets the unlocked work iPhone presents as much of a security risk as a disgruntled employee intentionally leaking information to a competitor. Similarly, employees not trained, or not timely trained, in security best practices and who may have weak passwords, visit unauthorized websites or click on hyperlinks in suspicious emails or open email attachments from unknown senders pose great challenges to employers’ systems and data.

Strategy: Train; train; train. Train employees on security best practices and offer ongoing support and supplemental training. Such training should include password management and avoiding hacking via such improper, and sometimes criminal, activity such as phishing and keylogger scams. Require employees to use strong passwords on all work-related devices (or any device used for work-related reasons). Other password requirements could include requiring a separate password for each registered site that must be changed within a defined time period and implementing an automated password management system. Further, an employer could deploy validated encryption for company data that would allow its IT department to execute a selective wipe by revoking the necessary decryption keys specifically used for employer data when an employee’s work-related device is lost or stolen. Other lines of defense could be found in multifactor authorization identification apps such as a One Time Password, RFID, smart card, fingerprint reader or retina scanning. Even if a password becomes compromised, such apps could mitigate the risk of a breach.

Challenge No. 3: The Bring-Your-Own-Device (BYOD)

Employers face a heightened vulnerability when employees use mobile devices, particularly their own, to share data, access the employer’s information or neglect to change their mobile passwords. One recent study reports mobile security breaches affected more than 66 % of global organizations in the last year. As more employers embrace BYOD, they risk exposure when employees use such devices on the company network, behind a firewall (including via a virtual private network), where an app on the device could install malware or other Trojan software to access the device’s network connection.

Strategy: Develop and implement a specific BYOD policy. Such a policy could better educate employees on device expectations, and employers can better monitor email and documents being downloaded to employer- or employee-owned devices.

Challenge No. 4: The Cloud

Strategy: The best strategy to combat a cloud-based threat is to utilize strong data level cloud encryption and retain the keys exclusively to prevent any unauthorized third party from accessing employer data, even if it resides on a public cloud.

Overall Strategic Plan: For most employers today, a security or data breach is no longer a matter of “if” but “when.” To minimize any resulting impacts from a security breach and leak, employers should conduct a risk assessment to identify where valuable data resides and what controls or procedures are in place to protect it. Then, employers should build out a comprehensive incident response (including disaster recovery/business continuity) plan, identify who will be involved (IT, legal, HR, public relations, executive management) and test it.