Mabel works in your Accounts Receivable department. She is a hard worker, likes long walks on the beach and loves cats. During breaks from managing accounts using Quickbooks Online and other SaaS products like Adobe and Dropbox, she is a moderator for extremecatloversforum.com. She does love cats. Mabel is quite good at accounting and has been with the company since it began.
She uses her company email since it is her only email and the IT department forces her to use a nice long and complex password that she memorized. Since it is an uncrackable password she reuses it.
Breaching Adobe and Dropbox databases yielded a rich list of emails, usernames, hashed “protected” passwords, and other personal details. Adobe and Dropbox patch the hole, immediate notify everyone, and forcibly reset all passwords. Extreme Cat Lovers Forum, however, ran by a small group of cat enthusiasts, are not aware data is leaking. No notifications. No password resets. No patch. No secure hashes. Simple clear text data.
All three breaches open the company to direct attacks. There is nothing the company can do to stop the breach, Mabel from using her company email for personal use, password reuse, or the attacker sending Mabel spear phishing attacks.
Mabel’s account information is now available to the highest bidder. She has been around since the company started so her inflated access is a giant risk.
She is a prime spear-phishing target even after changing her password following a breach. Sophisticated attackers know her email and interests.
The longer employees are at the company, the more sign-ups for online services, the more SaaS services, the more third-party integrations, and all the external communication brings more risk from data breaches outside your control.