Take Back Control: Stop Shared Accounts and CredentialsAnirban Banerjee
49% of employees share passwords, according to an IS Decisions report on the password habits of users in the UK and the United States. Of that 49%, almost half (23% of total) regularly shared passwords with one or more co-workers, and many others shared them with either a manager (10%) or IT personnel (7%).
To put these numbers into perspective, we should consider that Verizon’s 2016 Data Breach Investigations Report found that 63% of all confirmed data breaches involved passwords that were weak, default, or stolen. The statistics are clear: poor control over passwords puts your business at risk.
Unfortunately, as most IT professionals know, one of the easiest ways to access another user’s account is simply to ask them for their credentials. Criminals are increasingly relying on social hacking techniques to manipulate employees into giving up their credentials; those employees who share their passwords more readily are logically easier targets and bigger risks to your organization.
Of course, it isn’t just outside hackers who can misuse shared credentials; malicious insiders can also make use of them to steal data or commit fraud. When an employee shares a credential, they are not only exposing your business to risk but themselves too – when a shared account is used inappropriately every employee with access comes under suspicion.
Why Do Employees Share Accounts?
If you ask employees why they share their passwords you’ll hear the same reasons, again and again:
- “I didn’t have time to do it myself” – Employees share privileged credentials with members of their team so that they can delegate some of their tasks to them.
- “It improved our process” – Customer-facing roles, for example, may share passwords to give the appearance that a customer is always dealing with the same representative.
- “They needed access quickly” – A co-worker needs instant access to a file but doesn’t have clearance. It is quicker and easier to share a credential rather than jump through hoops to get them access.
What do all these reasons have in common? Sharing passwords is easier than the alternative. It is your job to ensure that employees know that sharing passwords might be easier but it’s also riskier.
How To Stop Employees Sharing Credentials
Reducing the number of shared credentials isn’t easy and requires a holistic approach involving both training and changes to the way you manage accounts:
Clearly Signpost And Explain The Risks Of Credential Sharing
Most companies clearly state their password policies to employees. But if 49% of employees are sharing passwords, this method is ineffective. Instead, focus on regularly communicating the risks of sharing credentials. For example, a message that appears every time a user signs in warning them against sharing their credentials could increase awareness significantly. Communicating your policy once is not enough.
For this communication to be effective, you may also want to focus on the “why” behind your password policies. It is in your employee’s best interests to keep your business safe; by highlighting recent examples of firms that have suffered from security breaches you can help employees to question whether a moment’s convenience is worth the potential cost.
Bigger Consequences For Credential Sharers
Setting clear rules is of no use if users are not held liable for their actions. Many businesses still have a culture that overlooks password sharing and other “harmless” rules breaking habits – this needs to stop. Password sharing is not a harmless, victimless crime; it is one of the biggest threats to your IT security, and therefore your business.
Set out a clear disciplinary procedure for dealing with anyone who shares passwords and make it clear that anyone who spots someone sharing, but does not report it, is also complicit. It should only take one or two employees receiving an official warning for everyone to take the new culture on board.
Improve Access Processes
Most employees don’t share credentials because they want to bring down your organization; they do it because it is convenient. One way to reduce this temptation is to improve the correct processes that they should be using so that there is less temptation to break the rules.
- How can you improve your onboarding process?
- How can you improve the approval time for an employee accessing files or servers they don’t currently have access to?
- Are your managers sharing passwords because they need their team to do some of their workload? Perhaps this team needs adding to, or that manager’s responsibilities reduced.
Don’t Forget 3rd Party Users
Most businesses use third-parties to supplement their internal teams, and many of these users will require access to your systems to perform their role. You may have less oversight over these users and how they behave, so it is essential that you put the right controls in place; it is entirely possible offsite third party users may be sharing accounts right now and for you to not know it.
Preferably, third party contractors should have access subject to time restrictions and with tracking that will alert you to any wrongdoing. This is particularly important because for compliance you will need to show that any contractors with access to your data have followed your policies correctly.
Disable Concurrent Logins
By disabling simultaneous logins, you ensure that a user who shares their password will be unable to log in while any other user they have shared with is logged on. This considerably reduces the productivity benefit a user would get from sharing their login in some situations.
This measure alone will not prevent users sharing credentials but does reduce the practicality. Turning this on with no warning can make it clear who is sharing their credentials if they then report they can’t log in!
Monitor Suspicious Activity With PAM Software
Shared accounts are not an invisible threat; with the right tools, you can spot and put an end to any behavior not in line with your policies, whether it’s malicious or simply foolhardy. PAM software is an essential tool in this process allowing you to detect and track every account, audit access to ensure compliance, enforce correct password policy, and much more. Done manually, these processes would not only take much more time, they would be far less effective. Businesses that rely on manual processes are far more likely to have problems with shared accounts or other poor habits.
But What About If You Have To Share an Account?
In some situations, sharing accounts is inevitable. For example, a wide range of individuals and teams need access to your social media accounts. These credentials might not have access to financial data or intellectual property, but in the wrong hands they can still cause significant damage to your business’s reputation. The lack of tools these social media services provide for managing these credentials can put you in a tricky spot when it comes to compliance.
In these cases, you need a tool for managing access so that you can identify who has taken what action on your social account:
PAM software – Your Complete Solution to Shared Credentials
PAM solutions, like Onion ID can solve your problems with shared accounts, providing you with the tools necessary to manage and restrict privileged accounts, as well as spot suspicious behavior. In the case of shared media accounts, PAM solutions enable account sharing – but with the boundaries and transparency necessary to ensure security. Users can share access to social media accounts, but time limits and boundaries are put on the user they share with, so control is assured. Additionally, complete session recordings are available, so in the event of a problem, it is easy to establish who was responsible.