In many cases, credential sharing for a computer or software doesn’t seem like that big of a deal. If you’re in a hurry or out of the office, sharing credentials can allow someone else to give you a hand by performing a simple task or checking something for you. If the other person has the same level of access as you (like having an account on the same computer), it may not seem detrimental to let them use your account if they’ve forgotten their password or access card. However, by sharing credentials you can put yourself and your organization at risk.
A loss of access control, improper credential storage, and an inability to perform event attribution are all potential negative results of the risks of sharing passwords at work. Let’s explore each of these:
A loss of access control is one of the major risks of sharing credentials with friends and coworkers. If you’re working on the same project or sharing an office with someone, you may have the same level of access and be able to tap the same resources with your own accounts. In this situation, sharing your credentials with someone so that they can do their job if they’ve lost or forgotten theirs may seem logical.
Even if you share the same level of access now, can you guarantee that this will always be the case? Employee termination meetings are typically conducted in private and a good information security policy means that terminated employees’ accounts will be locked upon notification of termination to protect corporate systems. If other employees are unaware of the termination, a disgruntled former employee may gain access to and damage corporate systems using another employee’s shared credentials if given the opportunity.
On a more optimistic note, promotions can cause unexpected side effects with shared credentials. If you’ve shared your credentials with a coworker and later receive a promotion, the other employee may still be able to log into your account and access resources outside of their job description. Imagine the fallout if promotion to department manager meant that one of your former peers could view and edit their performance management records. Properly protecting your credentials is vital to your organization’s security policy.
Suppose that you have perfect password security habits. You have a unique password for each account composed of eight or more randomly selected letters, numbers, and symbols. You have either memorized each password or store it in an approved password manager. The odds of your password being exposed in a breach and jeopardizing corporate security are very low.
Now imagine that you’ve shared your password with another employee to enable them to process an urgent order. What guarantees do you have that it’s properly secured now? None at all. Your colleague may have written it on a Post-It note and taped it to their monitor for all that you know. If you’ve shared your password with someone else, you’ve lost all control over it and maybe exposing yourself and your organization to attack.
There is a good reason why everyone has unique login credentials for shared systems even if they have the same rights and permissions on the system. Your organization’s corporate cybersecurity policy likely includes logging important or anomalous events that occur during the use of company computer systems. This is intended to help in determining the cause and scope of the incident if the organization suffers a cyberattack. If an employee falls for a phishing email and infects a shared computer system, time may be of the essence, and being able to know exactly which employee’s mailbox contained the malicious email could prevent the attack from spreading throughout the organization. Similarly, knowing who violated a corporate cybersecurity policy allows the organization to provide additional training to or take action against the appropriate party. Sharing your credentials with other employees may endanger your organization and potentially lead to your firing or land you in legal trouble if illegal or unethical activities are performed using your account.
It’s impossible to ensure that employees will never share their credentials with one another. Providing training on the associated risks is important but only goes so far. The best way to handle the potential threat and protect your organization is to try to make it as unlikely as possible that a situation will arise where sharing credentials seems “necessary”. By taking a few simple steps, you can dramatically reduce the threat of shared credentials.
Using multi-factor authentication for access management means relying on more than just a password for access to a computer system or account. Typically, this means using a smartcard, random code generator, smartphone application, or other physical devices as part of the authentication process. The most common use for this is to protect against hackers gaining access to accounts via guessed or breached passwords.
Multi-factor authentication can also protect against credential sharing by making the use of shared credentials more difficult or infeasible. If an employee needs physical access to another employee’s ID badge or a smartphone in order to use the account, it makes sharing credentials impractical or infeasible. By implementing a multi-factor authentication policy with clear instructions for unanticipated circumstances (lost or stolen badges, etc.), an organization can dramatically improve its cybersecurity posture.
One of the main reasons for poor credential management is the difficulty of creating and managing a set of several unique, strong credentials. If an employee rarely accesses a given account, there is an increased probability that they will either forget their password, in which case they may ask another employee if they can use theirs. A single sign-on (SSO) solution allows employees to use a single password to securely authenticate to a variety of different accounts. This decreases the probability of forgotten or shared passwords while making life simpler for employees with many accounts.
In most situations, sharing passwords makes little sense. If an employee has access to their own account, they have no reason to need to use someone else’s. However, if an employee has forgotten their password, they might ask to use someone else’s in order to “get work done”, and, out of sympathy, the other employee may let them.
A good way to help prevent this situation from occurring is to implement strategies to simplify credential management. For passwords, selecting and providing training on a strong password manager allows employees to limit their memorization requirements to a single, strong password. For physical tokens like smartcards or random code generators, implementing and advertising a policy to manage unusual situations (left the card at home, etc.) decreases the probability that employees will find workarounds that achieve productivity at the cost of security.
Credential sharing is a threat to organizational cybersecurity that receives little attention. Many circumstances exist where sharing a username or password with a friend, family member, or co-worker may seem logical; however, this can put your personal or organizational cybersecurity at risk. By taking a few steps, it’s possible to reduce the probability of these situations occurring. Behavioral modeling and anomaly detection technology can also be used to identify cases where credential sharing may have occurred, allowing action to be taken.
It’s widely known that an organization’s weakest security link is its employees. Creating a strong data safety culture is one of the first rules for improving your organization’s security practices.
Proper security awareness training is a good way to get credential sharing and other poor practices under control. Training also helps your staff to become better and happier employees by empowering them to do their jobs better.