This is a staggering statistic, but according to SailPoint's Market Pulse Survey, who surveyed 1,000 people working at large organisations, one in five employees would sell company access credentials to a third-party. Often, they would do so for less than $1,000 (USD), but some would also do so for less than $100.
Let's ignore for a moment what this says about employee loyalty, but concentrate on the effect that this would have on an organisation. With more and more companies relying on cloud-based infrastructure, employees aren't limited to having to be on company premises to access data. This also means that an attacker doesn't have to be on company premises. As a result, stolen (or purchased) credentials could be exploited with ease, potentially giving attackers access to confidential corporate documents, emails or even worse - access to company systems themselves. It begs the question, how many organisations would be able to detect when credentials were being misused?
The original document is worth a read and has other worrying statistics around password use, for example 32% of respondents share passwords with co-workers. In a world obsessed with accountability and audit trails, how can organisations be sure that the person on the end of the keyboard is that whom the credentials belong to?
Two-factor authentication tokens provide at least some mitigation to these concerns, but if an employee is willing to sell passwords then it wouldn't be too much of a stretch to say that they'd be willing to pass on two-factor tokens at the same time (on an on-demand basis).
Certainly some food for thought!
Furthermore, one in five employees said they would sell their work passwords to a third-party. In the United Kingdom, for instance, more than half of respondents who said they would sell their passwords, would do it for less than $1,000.