One in eight UK workers has sold their company passwords, and bosses think it’s fine

It's all very well defending your organization from external hackers and malware attacks, but your systems are only as strong as the people to whom you have handed the keys. According to new research, an uncomfortable number of people appear willing to sell critical credentials and passwords to the highest bidder. The Workplace Fraud Trends report, published by Cifas, claims that an eyebrow-raising 13% of those surveyed (roughly one in eight) have either sold company login details in the past year, or know someone who has. Survey respondents were presented with five fictional scenarios involving workplace fraud, which included bogus references, moonlighting for competitors, fiddling expenses, and gambling with company money. However, the one that is most of interest to readers with an interest in cybersecurity is the credential-selling scenario - where an employee hands over their logins on the assumption that it is "harmless one-time access." Who are the worst offenders according to the study? No, not disgruntled junior staff who resent not being properly paid. The surprising news is that bosses are likely to be putting companies most at risk. As Infosecurity Magazine reports, 32% of senior managers, 36% of directors, 43% of C-suite executives, and a frankly gobsmacking 81% of business owners seem to believe that selling company credentials is "justifiable." Just to remind you: if an unauthorized party is given login credentials to your firm's network, they have the same level of trusted access as a legitimate user. Access to sensitive data and systems is the stuff of cyber-criminal dreams. A set of working login credentials is, by far, the most efficient way that an attacker could hope to get past your defenses - bypassing the layers of protection that have been put in place by IT teams to keep out cyber-criminals. Rachael Tiffen, director of learning at Cifas, says that it is essential for staff at all levels to understand their responsibilities when it comes to preventing fraud, and the consequences of their actions. As more and more people tighten their belts due to economic hardship, or feel their jobs are at risk due to cost-cutting, the roll-out of AI, and the threat of redundancy, there will be greater temptation than ever to sell company credentials to potential cyber-criminals. Organizations should not pretend that the problem highlighted by this study will solve itself. Strong technical controls, such as multi-factor authentication, conditional access policies, monitoring IP addresses of devices logging in, and unusual device fingerprints, can make a sold password considerably less useful on its own. Furthermore, companies would be wise to consider whether the people they have employed can be trusted not to have shared their credentials with others, regardless of how high up the corporate ladder they might have reached. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra. Cybercrime Intelligence Shouldn't Be Siloed Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats. READ OUR RESEARCH Graham Cluley Cybercrime Researcher and Blogger View Profile RELATED CONTENT ARTICLE Finding and Fixing Vulnerabilities in Microsoft SQL Server Blank Password , a High Risk Vulnerability PRESS RELEASE Forbes: Scammers are Cracking Today’s More Secure Passwords BLOG Microsoft is Right, Mandatory Password Changes are Obsolete BLOG Sometimes Changing the Password on Your Email Mailbox Isn't Enough