LinkedIn Breach - Advice to Employers

Initially you might think this issue is limited to exposure of personal information of LinkedIn users, unauthorised access to the website and potentially others. Cyberis would urge employers and security professionals to consider the potential impacts of the LinkedIn breach to their organisation. Although at this time, the full scale of the exposure of the security breach has not been published, it is unlikely to be limited to a leak of password information alone (see this Cyberis post). 

The nature of the site is particularly important – LinkedIn is a professional social networking site, which directly associated it's individual users with businesses and organisations. If further account information has been compromised, then the enterprise risk from ‘password re-use’ is likely to increase, given that known association.

The threat from users choosing the same, or similar, credentials for different websites and systems is well-known. Most corporations deploy controls to reduce the likelihood of unauthorised access from the outside the organisation, such as two-factor authentication. With the increasing trend of SaaS and other cloud services operating outside of traditional security paradigm, corporations should review this risk scenario carefully.

The LinkedIn breach serves as a timely reminder for employers to monitor such indirect risks and for colleagues to review their position in respect to password re-use and consider changing passwords, ensuring they are suitably complex and unique to the system.