How many times have you had a phone call or an email from a manager in your organization asking for you to give them the password of an employee to enable them to access their email account?
This request is often made when an individual is on leave and a call is received from a client or colleague wanting to know if they have actioned a request sent before they left. All too often a client has sent an email to their account manager before he or she went on vacation, but it was accidentally missed.
Access to the email account is necessary to avoid embarrassment or to ensure that a sales opportunity is not missed. Maybe the employee in question has failed to set up their Out of Office message and clients are not aware that they need to contact a different person to get their questions answered.
In years gone by, managers used to keep a log of all users’ passwords in a file on their computer. In case of emergency, they could check the password and access any user account. However, this is risky. Nowadays this is not acceptable behavior. It also invades the privacy of employees. If a password is known by any other individual, there is nothing to stop that person from using those login credentials any time they like. Since passwords are frequently used for personal accounts as well as work accounts, disclosing that password could compromise the individual’s personal accounts as well.
Maintaining lists of passwords also makes it harder to take action over inappropriate internet and email use. If a password has been shared, there is no way of determining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login.
IT staff are therefore not permitted to give out passwords. Instead they must reset the user’s password, issue a temporary one, and the user will need to reset it when they return to work. Many managers will be unhappy with these procedures and will still want to maintain their lists. Employees will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and giving a manager access could be seen as a major invasion of privacy.
What is the solution?
There is a simple solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be set. Important emails will not be missed either. To do this you can set up shared mailboxes, although these are not always popular.
Do this in Outlook and a manager may need to have many set up in their Outlook program. It will also be necessary for them to train staff members how to use the shared mailboxes, and policies might need to be written. They may need to have to permanently keep the mailboxes of multiple teams open in Outlook.
Is there an easier option?
There is another choice, and that is to delegate permissions. It is more complicated to implement this control as it requires an MS Exchange Administrator to provide Delegate Access. Using Delegate Access will make it possible for an individual, with the appropriate permissions, to send an email on behalf of another employee. This means mailboxes do not have to be open all the time. They can just be opened when an email needs to be sent. This may be ideal, but it will not allow a manager to set up a forgotten Out-of-Office auto-responder.
That would require a member of the IT department, a domain manager, to do it. A ticket would need to be submitted requesting the action. This may not be popular with managers, but it is the only way for the task to be performed without revealing the user’s login credentials or setting up a temporary password which would breach their privacy.
You might be unpopular, but security is vital
If you encounter resistance, you must explain the reasons why password sharing is not permitted: The risks it poses and the problems it can cause.
These matters should be included in a company’s computer, Internet and email usage policies. If the sharing of passwords contravenes company policies, any requests to share passwords would result in the IT department breaching those policies. Requests to divulge that information would therefore have to be denied.
Of course, Out-Of-Office auto-responders are not an IT issue. This is an issue that should be dealt in staff training. It is also a check that a manager should make before a member of staff leaves and goes on holiday, while the employee is still at work.
The dangers of password sharing
Organizations are facing an ever-growing threat from cybercriminals. In 2019 and 2020, we have seen many high-profile data breaches, resulting in serious financial repercussions and damaged brand reputation. Password-sharing at work carries a massive risk for organizations. 81% of breaches originate with stolen or weak passwords. When hackers gain entry to your system, shared passwords make it easier for them to access other parts of your network.
If by chance an intruder finds a document full of shared passwords in a employee’s Google drive that opens up the entire system to attack. This also exposes your organization to legal issues if customers’ privacy rights are violated.
Why do employees share passwords ?
Sharing passwords is extremely risky for the organization . Oftentimes the reason cited for doing this is easier collaboration with colleagues. Sometimes employees share passwords because it’s the company policy. In these situations it’s vital for I.T. to intervene and provide a better way for employees to collaborate, and potentially serious consequences down the road.
Reasons why passwords should never be shared, even with a manager
- Passwords are private: This is a fundamental element of IT and network security. This rule cannot be broken or bent
- There are alternatives to sharing of passwords that will achieve the same aim: ticket requests, shared mailboxes, and delegate permissions these should be used instead
- The sharing of passwords violates an individual’s privacy
- If a password is shared, the results of an account audit cannot be trusted.
- Password reuse– Many people use the same password to access multiple accounts and platforms. By sharing reused passwords, employees increases the risk a single stolen password poses for companies.
- You’re responsible for any activity conducted under your username. If someone else is logged in under your account, you’re still responsible for whatever happens.Data security is more important than an auto-responder
- Bring Your Own Device (BYOD) – Employees are increasingly working from home and use their personal smartphones and laptops in addition to company-issued devices. The WFH trend has led to productivity gains. Unfortunately, the benefits can easily be wiped out if passwords shared with friends or family gives unauthorized access to your network and confidential data.
- Acceptable Usage Policies would be violated
Multi-Factor authentication to stop password sharing
When MFA is in place, access is only possible when the user validates using two authentication factors. For example, they initially enter their password but must then complete a second authentication request. This could be a code received via a device. Multi-factor authentication, like any security approach, works best when used in tandem with other security strategies.
If a ban on password sharing does not exist in your organization, it must be implemented as a priority. You will not be able to do this without the support of senior managers. You may not feel that it is your job to try to implement a ban, but you should make a case for it. It will help your department protect the network, it will save you time in the long run, and it will be better for the business.
To find out more about password security and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.