Is Gmail Becoming a Security Threat?

First Cisco, Now Okta

In May 2022, Cisco was hit with a data breach that resulted in almost 3GB of data being stolen. You can read about what happened in more detail here, but the critical point is how the breach started – with an employee’s compromised Gmail account.

If you use Google Chrome and you sign into Gmail, it helpfully asks you if you would like to sign in to your Google account and sync across devices. This is of course extremely convenient, as most of us have multiple devices we use on a daily basis. This way, you have all of your stuff wherever you go – work laptop, home laptop, phone, tablet. Chrome will also offer to save passwords, so you don’t have to keep typing them in constantly. In some ways, this helps security – if you don’t have to worry about remembering a password, you’re less likely to choose a simple one or re-use a familiar one. Unfortunately, this means that those passwords are there, on any device you use, and if you slip up once, that opens you up not just to personal compromise but professional as well.

The same thing happened to Okta in 2023; the attackers targeted Okta’s customers by gaining access to their support logs, which included HAR files that had session tokens, and thus opened them up to session hijacking. The source of the hack was, again, an employee’s compromised Gmail account.

To be clear, this isn’t entirely Google’s fault – they take measures to protect Gmail accounts from compromise, arguably more than most other e-mail providers do. Users get prompted to review security settings regularly, they have a very robust spam filter, and they offer 2-factor authentication, which is a much better option than just using a password alone.

But humans are still the weakest link in the security chain, and the numbers don’t lie – over 80% of all data breaches involve the human element. And if you think that will get better, well, according to Forrester, in the future, that number will only increase to 90%. Not even Google can compete with the persistence of threats like phishing, credential stuffing, brute forcing, and the generally terrible password hygiene habits we all practice.

To Lock Down, or Not to Lock Down

When the internet first became widespread, many people only had access to it at work. Having a personal computer or laptop was not quite as common, and it was years before smartphones were introduced. This led to it being treated somewhat like the telephone – for the most part, some limited personal use should be considered acceptable. However, in light of the ever-expanding threat surfaces, it makes sense to have stricter policies regarding personal activity on work devices.

You could prevent users from signing in their personal Gmail/Google accounts at work (which is easy to do for both Gmail and Chrome. You can, in fact, turn off the ability to sign in via Chrome altogether if you don’t use Google as your identity provider.) This is definitely not going to win your IT Team any popularity contests, and it’s a bit of a draconian measure. Most people don’t consider it unreasonable to quickly check their personal e-mail at work; it could even negatively impact productivity if someone is constantly having to check their phone for an e-mail from their child’s school, for example.

A much better strategy is to implement passwordless authentication. This way, devices authenticate using a digital certificate instead of depending on a user to enter their username and password. It removes the risk of stored passwords because there simply aren’t any – which actually closes several avenues for potential breaches. Over 80% of all data breaches are related to credentials – weak, reused, easily guessed, or stolen, they remain the weakest link in your cybersecurity armor.

A huge challenge for security is balancing user experience with best practices – make things too locked down, and users will find ways around it. It’s incredibly rare to find a solution that is both more secure and better for the user, but passwordless authentication offers both! Logging into things is seamless and handled completely by the device exchanging the certificate with the identity provider – from the user’s perspective, they just open their laptop and boom, connected.

Another thing you may not realize is that passwords are costing you both time and money – an estimated $5.2 million per year, in fact, and 11 hours per employee. That adds up! And that’s not factoring in all the time spent training people not to click on phishing links with fake e-mails and endless training. Some estimates say that 3.4 billion phishing e-mails are sent every day! Given the prevalence of compromised passwords and the dire impacts a breach can have, it makes sense to get the best possible security measures available. Implementing passwordless authentication can save you time, frustration, money, and keep you safer – what’s not to love?