Skip to main content

Employees are putting business accounts at risk by recycling credentials

password
(Image credit: Image source: Shutterstock/Ai825)

Many remote workers are disregarding cybersecurity best practices, putting organizations at serious risk of data breaches.

This is according to a new report from automation platform Ivanti, based on a poll of 1,000 UK consumers, which states that a fifth regularly recycle their business email addresses and passwords to log into consumer websites and applications.

They often use their work credentials for food delivery apps, online shopping websites, and even dating services.

But it's not entirely the fault of employees; many organizations actually allow for the convergence of business and private devices, while others do not have strong security policies in place. The report states that almost four in ten can use their personal devices to access company applications and networks, and a third said their employer does not require the use of a VPN.

Using the same login credentials across different services is an extremely risky practice, which becomes even riskier when business credentials are involved. If any of the services is breached and the login credentials compromised, all accounts are exposed. Criminals will often try various login combinations against different online services, in a bid to take advantage of credential recycling.

“By reusing passwords and failing to implement corporate workspace segregation policies and multi-factor authentication, businesses are increasing their risk of falling victim to credential stuffing attacks,” said Nigel Seddon, VP EMEA West at Ivanti.

“Given that there has been a recent increase in the number of data breaches targeting consumer-based companies and online communities, it is very likely that enterprise email and passwords are already exposed on the dark web. Companies across all industries must implement a Zero Trust model to ensure that entities accessing corporate information, applications, or networks are valid and not using stolen credentials."