Credential compromise is an ever-growing concern for organizations nowadays. The volume of exposed corporate credentials has nearly tripled between 2016 and 2017 according to a recent report, which also claimed that nearly 77% of the Financial Times Stock Exchange 100 were exposed with an average of 218 stolen credentials per organization in a 3-month span. Most credential exposures occur beyond the company’s perimeter due to the vulnerabilities in third party websites where employees use their business email to sign up. The existence of these corporate credentials on the web makes organizations vulnerable to corporate espionage, social engineering, spearphishing, and credential stuffing, which is the use of an extensive pool of exposed corporate credentials to breach other systems where the same credentials might have been used. Many organizations remain unaware about online data breaches and the risks involved. If an employee created an account on an online service (such as social media) with their business email, following which that online service suffered a breach and the credential data was leaked, that employee’s password or password hash may be available to attackers. In case the employee used the same password on that online service as they do for their business email/VPN, this can result compromise of business credentials and unauthorized access.
Need for a Policy
All organizations need to have a framework and policy in place for the proper use of corporate email addresses which should include best practices, do’s, and don’ts. Employees should be made aware of the risks of reusing business email and passwords for non-work related purposes. The following is a template of guidelines for employees’ corporate email usage:
Unacceptable behaviour using corporate emails:
• Set up personal businesses or accounts. • Sign up for illegal, unreliable, disreputable, or suspicious websites and services. • Send out spam emails.• Sign up for any social media networks (some exceptions may apply, such as for the marketing department). • Distribute or store any content that might be considered indecent or illegal. • Broadcast unsolicited personal views on non-business related matters. • Introduce any form of computer virus or malware into the corporate network.
Appropriate use of corporate email:
• Communicate with current or prospective customers and partners. • Log in to purchased software they have legitimate access to. • Distribute their email address to people they meet at conferences or other corporate events for business purposes and networking. • Register for online subscription services like newsletters or platforms that will help them with their jobs or professional growth. • Best Practices for Email security • When signing up for a third party website using a business email address, use a strong password which has not been used on any other sites before. • Have two-factor authentication enabled on all possible accounts. • Change business email passwords every few months, and possibly also after a breach of a popular third party site. • Remember passwords instead of writing them down.
Recommendations
• Have an enforced policy in place that employees are well informed about. • Have auditing enabled in your internal network as well as cloud infrastructure to monitor any bruteforce or credential stuffing attempts. • Stay informed about breaches containing your organization’s business email addresses using a monitoring service. • When notified of a breach affecting a third party site, ensure all corporate users affected by that breach are informed so that they do not use the exposed password again.