A new study by Adobe projects Holiday Ecommerce To Hit Record $107B in 2017; Mobile Will Lead In Visits, based on Adobe data capturing an estimated 80% of online transactions from the top 100 US Web retailers.
Employees who use their corporate email accounts (either to shop or to verify ID for a personal email account) can substantially increase their employer’s risk of cyber breach-enabling compromised credentials. IT security experts from InfoArmor commented below.
Christian Lees, Chief Information Security Officer at InfoArmor:
Byron Rashed, Vice President of Global Marketing, Advanced Threat Intelligence at InfoArmor:
they should never use their corporate credentials. However, there are exceptions – especially when using cloud services for work-related
projects, etc. If using a corporate email address to login to a site for work related projects, employees should never use their corporate passwords.
“Most compromised credential breaches do not occur within the organization – they are usually compromised through a 3rd party site where the user has created an account using their corporate email, and in many cases with the same corporate password. If the 3rd party site is breached, this is literally giving the threat actor “the keys to the kingdom.”
“It’s important that users are trained by HR and the IT team to follow a few simple procedures:
- Never use your corporate credentials for 3rdparty sites unless it’s necessary for work related projects.
- If you need to use your corporate credentials for 3rdparty sites, ensure that your password is very different than your corporate password.
- Use complex phrases as passwords and modify characters if possible, an example would be “EyeLuvHawa11” or similar combinations that are uncommon. There are many tools a threat actor can use to try to guess your password.
- Do not use common phrases or words that can be found out by a threat actor. An example would be a spouse or child’s name, pet’s name, etc. Much of this information can be found easily on the Internet and social media sites. Threat actors are very cunning in guessing obvious password phrases.
- If your credentials and password are compromised from the 3rdparty site, reset your password and inform your IT department immediately even though you did not use your corporate password, better safe than sorry. Your IT security staff will most likely have you reset your corporate password to be safe.
- It is imperative that one never uses their corporate credentials (username or password) for personal use, especially during the holiday season when making online purchases.
“Physically, everyone should ensure that mobile, tablets and laptops have password or passcodes on them to access the device, and be vigilant about keeping them nearby and protected. An obvious potential danger is in the latest version of iOS where “keychain” can be easily accessed through settings. The user names and passwords are available in this feature. If the device is lost or stolen and no passcode protection is on the device, all the user’s accounts within keychain are at risk.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.