Oversharing: Passwords, but not Toothbrushes!?
Potentially significant security risks from your employees’ significant others
What would you be more likely to share with your partner? Your toothbrush? Or your work password? Only about 10% of people polled are willing to share their toothbrush, but twice as many are willing to share their work password!
People share a lot with their significant other, most of which makes for healthy relationships. However, there is a point of oversharing, especially when it comes to the security and privacy of your workplace. Analyzing data from a recent study by Intel Security, we found that people are not only surprisingly willing to share their workplace information with their partner, but that in too many cases, this resulted in some potentially serious consequences.
First, let’s take a look at the major sharing questions:
- 21% of respondents do or would share their work passwords with their significant other
- 34% would allow their significant other to use their work device
- 33% might let their significant other use their work device, depending on the situation
There is a lot of sharing happening at home, beyond dinner table conversations. You might think that this is all relatively harmless, and no worse than the discussions that happen between partners in response to “how was your day?”. But when we examined the consequences of sharing a work device, the results were quite significant.
The most likely effect of sharing a work device is that your employee’s partner got a look at a confidential email. This happened 14% of the time, and most of the partners respected the confidentiality. However, 2% of the time, the confidential info was repeated to someone else. For example, for an organization with 25,000 employees, that represents 3,500 potential leaks, and 500 actual leaks of confidential info!
The next most likely consequence is an email being accidentally deleted, which happened 11% of the time. This one is probably recoverable by most email systems, as long as the partner quickly discloses their mistake, but it still represents 2,750 deleted emails for our example organization. A further 9% accidentally responded to a colleague, 8% accidentally responded to a client, and 5% accepted or altered a calendar invitation. These are potentially more serious consequences to try and recover from than simply restoring a deleted email.
Finally, 7% opened an email that had malware on it, which infected the device, and a further 5% accidentally locked the device with too many failed password attempts. For our example organization, this means 1,750 infected devices that need to be cleaned, and 1,250 devices that need to be unlocked.
These examples help demonstrate the importance of continuing security education and awareness training for your employees. Since providing security training for your employees’ families is outside your scope, strongly consider implementing additional security measures like multi-factor authentication or biometrics on hardware devices and software applications that are located outside the corporate network. Adding another layer of protection goes one step further to ensuring things don’t happen beyond your control, and maybe comparing work devices to toothbrushes will discourage oversharing!