This is a staggering statistic, but according to SailPoint's Market Pulse Survey, who surveyed 1,000 people working at large organisations, one in five employees would sell company access credentials to a third-party. Often, they would do so for less than $1,000 (USD), but some would also do so for less than $100.

Let's ignore for a moment what this says about employee loyalty, but concentrate on the effect that this would have on an organisation. With more and more companies relying on cloud-based infrastructure, employees aren't limited to having to be on company premises to access data. This also means that an attacker doesn't have to be on company premises. As a result, stolen (or purchased) credentials could be exploited with ease, potentially giving attackers access to confidential corporate documents, emails or even worse - access to company systems themselves. It begs the question, how many organisations would be able to detect when credentials were being misused? 

The original document is worth a read and has other worrying statistics around password use, for example 32% of respondents share passwords with co-workers. In a world obsessed with accountability and audit trails, how can organisations be sure that the person on the end of the keyboard is that whom the credentials belong to? 

Two-factor authentication tokens provide at least some mitigation to these concerns, but if an employee is willing to sell passwords then it wouldn't be too much of a stretch to say that they'd be willing to pass on two-factor tokens at the same time (on an on-demand basis).

Certainly some food for thought!