A new study by Adobe projects Holiday Ecommerce To Hit Record $107B in 2017; Mobile Will Lead In Visits, based on Adobe data capturing an estimated 80% of online transactions from the top 100 US Web retailers.
Employees who use their corporate email accounts (either to shop or to verify ID for a personal email account) can substantially increase their employer’s risk of cyber breach-enabling compromised credentials. IT security experts from InfoArmor commented below.
Christian Lees, Chief Information Security Officer at InfoArmor:
“Many organizations experience their peak season of compromised corporate credential ingestion during the holiday season. Considering the tremendous amount of time individuals spend at work, naturally some of our personal behavior weaves its way into our corporate environment. For example, mailing lists and 3rd party site enrollment tends to peak during holiday season, often due to retailer campaigns, targeting marketing and consumer behavior. Often, consumers use corporate credentials to shelter spending habits, tend to use their work email more than others, or naturally keeping the gift a secret in anticipation for the holidays. While these behaviors are understandable, these actions tend to greatly endanger the employees’ organization.”
Byron Rashed, Vice President of Global Marketing, Advanced Threat Intelligence at InfoArmor:
“Whenever one makes an online purchase, utilizes Websites that require a username and password, or performs an ecommerce transaction,
they should never use their corporate credentials. However, there are exceptions – especially when using cloud services for work-related
projects, etc. If using a corporate email address to login to a site for work related projects, employees should never use their corporate passwords.
“Most compromised credential breaches do not occur within the organization – they are usually compromised through a 3rd party site where the user has created an account using their corporate email, and in many cases with the same corporate password. If the 3rd party site is breached, this is literally giving the threat actor “the keys to the kingdom.”
“It’s important that users are trained by HR and the IT team to follow a few simple procedures:
- Never use your corporate credentials for 3rdparty sites unless it’s necessary for work related projects.
- If you need to use your corporate credentials for 3rdparty sites, ensure that your password is very different than your corporate password.
- Use complex phrases as passwords and modify characters if possible, an example would be “EyeLuvHawa11” or similar combinations that are uncommon. There are many tools a threat actor can use to try to guess your password.
- Do not use common phrases or words that can be found out by a threat actor. An example would be a spouse or child’s name, pet’s name, etc. Much of this information can be found easily on the Internet and social media sites. Threat actors are very cunning in guessing obvious password phrases.
- If your credentials and password are compromised from the 3rdparty site, reset your password and inform your IT department immediately even though you did not use your corporate password, better safe than sorry. Your IT security staff will most likely have you reset your corporate password to be safe.
- It is imperative that one never uses their corporate credentials (username or password) for personal use, especially during the holiday season when making online purchases.
“Physically, everyone should ensure that mobile, tablets and laptops have password or passcodes on them to access the device, and be vigilant about keeping them nearby and protected. An obvious potential danger is in the latest version of iOS where “keychain” can be easily accessed through settings. The user names and passwords are available in this feature. If the device is lost or stolen and no passcode protection is on the device, all the user’s accounts within keychain are at risk.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.