Organizations around the world are ready to put the pandemic behind them, but as we know, it fundamentally changed much about our world. The momentum that propelled the digital age forward during that time meant workplaces went hybrid and employees juggled a growing number of logins. What hasn’t changed is employees’ bad passwords habits – and the crimeware tools explosion that continues to reward cybercriminals while leaving organizations more exposed.
For the third year in a row, SpyCloud has analyzed our entire database of more than 200 billion assets recaptured from the criminal underground to understand the scope of exposure among the world’s largest and most sophisticated organizations: the Fortune 1000 and London’s FTSE 100 organizations (and their subsidiaries). Our two separate 2022 reports uncovered that bad cyber hygiene crosses cultural and geographic borders.
We found some of the same patterns on both sides of the pond. Let’s take a look at some of the key findings across Fortune 1000 and FTSE 100 employees.
Rampant Password Reuse is a Shared Problem
Among both Fortune 1000 and FTSE 100 companies, we found a 64% average password reuse rate. (We calculated this rate separately for each dataset by taking the number of employees using the same exposed plaintext password across multiple sites, then dividing it by the number of all employees with exposed passwords.)
This rate is 4 points higher than the 60% reuse rate across our entire database – and a reminder why old exposures are just as damaging as new ones. For months and even years, cybercriminals can leverage these leaked credentials to launch ransomware attacks and perpetrate fraud schemes. Which explains why CISOs, in particular, are growing more concerned about the high password recycling rates among their employees.
Exposure From Data Breaches is Growing by Double Digits
One of the key data points we look at is the number of breach assets we’ve recaptured, which tells us the magnitude of the corporate exposure. A breach asset is an individual piece of data tied to a user that has been exposed in a breach, such as their password, phone number, or even credit rating. Cybercriminals use these bits of information in phishing and social engineering schemes to gain access into the corporate network or in fraud schemes to take over accounts and impersonate employees.
We can tie 687.23 million breach assets directly to Fortune 1000 employees and 51 million breach assets to employees of FTSE 100 companies and their subsidiaries. Each of these numbers represents double-digit growth from the previous year (26% and 29%, respectively).
We also found a staggering number of corporate email addresses and plaintext passwords in our dataset – 27.36 million pairs of credentials associated with Fortune 1000 employees and 2.75 million credential pairs associated with FTSE 100 and subsidiary employees.
Cybersecurity experts often warn that cybercriminals’ techniques grow more sophisticated every year. While that’s true, the staggering exposure numbers indicate that malicious actors don’t need sophisticated techniques to breach corporations – why bother when they have such a bountiful cache of compromised logins.
The Financial Sector Leads the Way in PII Exposure
Human behavior and criminal activity are not beholden to a certain geographical region, and unfortunately financial companies are giving cybercriminals equally rich opportunities to steal sensitive data and gain corporate access – thanks to their employees’ growing PII exposure.
Among Fortune 1000 companies, the financial industry has the highest PII asset exposure. The 70.78 million PII assets tied to financial companies comprise nearly 18% of the entire PII exposure of the Fortune 1000. On the other side of the pond, financials’ slice of the pie is even bigger – with the nearly 6.13 million PII assets tied to financial sector employees comprising almost 22% of total FTSE 100 PII exposure numbers.
The implications of these findings are concerning. Consumers trust financial companies with a lot of their PII and financial data, and guarding this information is a difficult task when your employees themselves have so much of their PII widely available to malicious actors who can use this information to craft detailed, credible spear phishing messages or answer security questions to reset MFA.
The More They’re Different, the More They’re the Same
We’d be remiss not to note that we did see some cultural differences reflected in our analysis. When it comes to their passwords, some Fortune 1000 employees’ favorites include variations of a certain four-letter word that’s not fit for print (which is ironic as it’s particularly popular among media companies). Their UK counterparts may be too polite, as that word doesn’t make it onto their most popular passwords list.
What FTSE 100 employees do have an affinity for, apparently, is their royals. Their #1 password? George. (For those not up on the latest royal gossip, the adorable 8-year-old Prince George is the firstborn of The Duke and Duchess of Cambridge, otherwise known as Prince William and wife Kate).
Despite those differences, we discovered that people’s habits are people’s habits wherever they live and work. “Password” and “123456” remain equally beloved passwords on both sides. And the use of their company’s name in their passwords is out of control among both Fortune 1000 and FTSE 100 employees. This is one of the worst shortcuts employees can take – and one of the first things criminals check for when trying to guess or crack passwords with their automated tools.
The Dangers of Malware Infections
Another trend worth mentioning in both reports is the growing number malware infections among these employees and the consumers of their companies, as data siphoned from infostealer malware is both extreme and highly valuable on the underground. We found nearly 70,000 infected employees of Fortune 1000 companies, and over 9,500 from the FTSE 100.
Malware infections pose severe risk for companies because they continuously expose data as long as the device is not remediated. Beyond account credentials, we’re talking browser history, autocomplete data, web session cookies, screenshots, system information, and more.
While the risks of an infection on a company-owned device are obvious, an infected system at home has the potential to expose work login credentials and data — and they typically aren’t monitored by corporate security.
The trends in our reports tells us that digital identity exposure is a growing, serious problem across the globe. The most effective way of protecting your enterprise from the risks posed by exposed employee data is by protecting employees from themselves – using technology to turn recaptured data from the criminal underground to your advantage. This is especially important since hybrid remote work now is commonplace and the lines between personal and work lives continue to blur.