Google Apps, Slack, Salesforce, LinkedIn—Each of these applications allows users to upload a profile photo. And yet, for some reason, very few employees select an official company headshot. From photos of children to family pets and office selfies, many choose a different image for each app.
So, what’s the big deal? Why should companies care that employees are not using their HR-approved headshot for business email and applications?
Security magazine spoke to David Meyer, VP of Product for OneLogin, who says that the wrong profile photo could provide hackers with data that can be hacked. "Since the majority of passwords are constructed from names of people or pets, when an employee's photo is his kid on Basecamp and his dog in Slack, a quick Google or Facebook search can tell a cybercriminal the names that an employee may be using as his or her password," he says.
"In addition, personal photos can provide hackers with intel on the user that can be used to plan a more targeted cyberattack," he says. "For example, a photo of you with your colleagues can provide hackers the information they need to develop a more sophisticated phishing scheme. They have a sense of who you work with, so they have a better idea of how to tailor their message to avoid suspicion."
Why not just force employees not to use passwords that are constructed to their relatives or family?
Meyer told Security magazine: "While password policies and training are important, companies can never be completely assured that employees won’t compromise sensitive information. The company needs a safety net – another layer of security that will account for human error. This is where Identity and Access Management (IAM) solutions come into the picture. IAM tools help provide a secure portal for users to access business applications."
What strategy does a company have to use to require employees to sync their physical and digital identities?
Meyer suggests: "Employees need to educate employees about the security risks of using multiple user profile photos for business applications. They also need to develop a policy that will require employees to sync their user profile photos. The best way to enforce a user profile policy is to automate the process. HR should take a photo of each employee during the on-boarding process. These headshots should be stored in an HR application such Workday, UltiPro and Namely. The companies IAM solution should be able to automatically pull in the photos from these apps. As soon as the photo changes in the IAM tool’s cloud directory, it will be pushed to all the user’s apps and devices. For companies that don’t have the technology to automate the process, users can manually upload their HR approved photo to each of their applications."