It emerged this week that NSA whistleblower Edward Snowden actually persuaded up to 25 NSA workers at a Hawaii spy base to hand over their passwords – Snowden then used the details to access classified material that he subsequently leaked to the media. Several of the NSA workers who handed over their login credentials have apparently now been removed from their positions.
Social engineers often rely on the natural helpfulness of people to phish their details. Snowden simply asked employees for their login credentials with the pretext that he needed them to do his job as a system analyst. The well-intentioned workers handed them over to the NSA's cost, as well as their own.
Have your employees ever handed over passwords to people that probably shouldn't have them? Do you know everyone who has access to your wifi network for example?
Password policies all seem a bit pointless if employees willingly hand over your company’s passwords to people who shouldn’t have them. In the case of the NSA it resulted in top secret documents being leaked to the media. In the average company it could mean financial and repetitional loss resulting from those with malicious intent having access to company accounts. The company website being vandalized, Linkedin accounts being deleted and abusive social media messages being sent out are all common outcomes resulting from passwords being in malicious hands, whether that's a competitor or a hacker.
While many employees are aware of the need to use different, strong passwords, less are aware of phishing and social engineering scams that unknowingly relieve them of their passwords. Education is one way to mitigate against employees handing over passwords in good faith to people with malicious or criminal intentions.
Ensure employees know about phishing, spoofing and social engineering scams. Employees should know never to click a link in an email and then enter login credentials for example, or never to give out passwords over the phone even if the caller makes it sound absolutely vital that they do so. If someone legitimately needs a password, they will be able to obtain it through the appropriate channels. Employees shouldn’t take it upon themselves to try to 'do good' and help someone out by handing over a password.
Ultimately though, the weak link is still the employee who is in the position of knowing passwords and being susceptible to being tricked into handing their over. my1login provides a solution which mitigates against employees being the weak link.
my1login makes it extremely difficult for employees to be socially engineered as they don't have to know the passwords for their business accounts. Where employees do know the passwords, those passwords are so complex they would find it extremely difficult to convey them either verbally or by writing them down.
With my1login, all business accounts can be protected using super-strong passwords and crucially, employees can access business systems without actually seeing the passwords that protect individual accounts. This provides the ultimate protection of employees not being able to disclose passwords to malicious individuals because they don't actually know the password themselves.
Where employees are given visibility of the passwords, due to them being super-strong it actually becomes extremely difficult for employees to verbally convey a password should they be asked for it. Can you imagine an employee trying to relay s<^ackVojaf1D+pn{ZAz<xaXbRHlX# to a malicious caller asking for their password? There are some characters in that password that employees are even unlikely to know how to describe ("^" is called a caret incidentally).
my1login provides the facility for securely sharing passwords (where permitted). It's only possible to give a password to someone if that person has been has added to the system by the business. So, if an employee is being asked to share a password with someone who isn't on their system, they are unable to do so, and it should throw up a red flag for the employee.
Further Reading