Recently, a hacker posted a number of usernames and passwords for Dropbox. Considering how many companies are now using Dropbox and other cloud-based providers to share documents, this is obviously a problem. But it does not appear that Dropbox itself was hacked. Instead, as noted by this Slate article, the hacker likely targeted smaller sites with weaker security:
The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.
In other words, most people use the same passwords across multiple sites. Including your employees. This is a BIG problem. Forgive the cliché, but password protection is only as good as the weakest link in the chain. You can spend millions of dollars protecting your network and proprietary information. But if another site where your employees have accounts is hacked, and your employees use the exact same passwords there as they use for your network, your network and information is at risk.
I cannot overstate the importance of making sure that your employees don’t use the same password for your system that they use for other sites. You need to make employees aware of this rule, and strictly enforce it. One option is to create passwords for your employees instead of allowing them to create their own. And change the passwords routinely. Also, as biometric technology develops and becomes more affordable, it presents another option.
There’s a reason we all use the same passwords across multiple sites: it makes life easier. But you need to ensure that your employees don’t allow their convenience to threaten your company.