Have password, will sell!?

We just went to see the new Jason Bourne movie. Without giving anything away, the movie is light on accuracy as far as computers and cyber security go. For example, whoever approved the throwaway line that they were going to “use SQL to corrupt their databases” should get a new fact checker.

But I guess that’s to be expected in a platform that’s catering to as broad an audience as possible – they can’t afford to lose anyone by requiring heavy thinking. It goes without saying that a suspension of disbelief is required whenever action is connected to movie. We were happy to play along for the 2 hour duration of the movie.

If you liked the 3 movies based on the Robert Ludlum books – like our group did – you won’t have a problem enjoying this one. My only problem with the movie was that the head of the CIA Cyber Ops Division, Agent Heather Lee, sulks throughout the movie.

On the way home, I got to thinking about how a movie like this matches up to real life. Specifically, I remembered the survey of employees conducted by the Vanson Bourne (no known relation to Jason) research firm on behalf of SailPoint Technologies.

The survey involved organizations with at least 1,000 employees. (These are big companies with lots of policies – including security policies!) As indicated in the research methodology section of the report, the survey was given to office workers. While that surely covers a broad range of functions from folks in the mail room to admin personnel, low-/mid-/high-level managers, directors – all the way up to executives, there’s no reason to suspect that these were temps or day laborers. (I would think that temporary workers would have been ruled out of consideration for the survey. In my opinion, including these – albeit necessary – employees would needlessly impact the findings, since these folks might not have undergone security policy indoctrination.)

The point I’m making is that these weren’t teenagers flipping burgers after school, or a pizza delivery driver. These are folks who presumably have some vested interest in working at the company (even if only at the basic level of getting a regular paycheck). These were folks who had earned some level of trustworthiness at their company. Let’s see what they had to say.

Survey says…

20% of respondents said that they would sell their work-related passwords to someone outside the company.

What?? Do these employees see themselves as some sort of cyber villains?

26% of employees admitted to uploading sensitive information to cloud apps with the specific intent to share that data outside the company.

It’s unclear as to whether these folks wanted to provide the information to someone else to undermine the company (i.e. industrial espionage), or were somehow using the data for themselves in a manner that did not compete with their company – which, though still a violation of company policy and still potentially against the law, would at least remove the taint of industrial espionage. I did not find whether the self-confessed violators benefited financially or otherwise from any such transaction.

A few years back, I had an assignment to read a business case of Sears, the mega retail corporation. A shocking aspect of the study was that when asked what their primary responsibility was, the number one answer given by store employees (not the office workers at corporate) was to stop customers from stealing.

All retail stores have what they call ‘loss prevention’ programs to cover product that is stolen by customers, as well as product that is taken by employees before it gets on the shelves.

This is an entirely different paradigm from what is being brought up by SailPoint. We’re talking about office employees, not hourly store employees who tend to be more transient. (That’s not to say that office employees aren’t hourly, just that their view of the business is very different from the folks on the shop floor.)

One group thought their primary job was to stop others from stealing, while a significant percentage of the other group thinks stealing is fine.

Maybe it’s the virtual feel of passwords that doesn’t make it seem like stealing?

The SailPoint survey disregards or doesn’t take into account the problem of the ‘disgruntled’ employee. Even so, we can probably assume that the 20-25% of employees who would be willing to sell authentication data are not – for the most part – currently pissed off at management and seeking revenge; which would be the case with the disgruntled employee. We have no information to think that some significant portion of these folks are seeking revenge. All we have to go on is that they would be willing to sabotage the company for money.

An appropriate follow-up question would have been: have you ever sold or disclosed your employer’s password (at your current or a previous job) to an unauthorized individual or company?


Sticky Password recommends using a password manager and activating multi-factor authentication (two-factor authentication) where available for the sites and applications you use.