Employees are arguably the greatest security risk to modern businesses. Though it is often assumed that IT viruses and hackers should be your biggest concern, the reality is that it is your own staff, whether maliciously or accidentally, that are the most likely cause of a breach.
But how much do you really know about those users and what their attitudes are towards security? Probably not a huge amount, and what you do know may be based on assumptions. It is not always the vindictive employee out to get revenge on their bosses, it can be the ignorant or careless user who doesn’t realise that their actions could have catastrophic consequences. In fact, even when the threat is a malicious employee, contractor or external individual, they often manage to gain access via an ignorant employee by convincing them to offer up their password.
Enterprise Password Sharing
One of the biggest internal security issues every business has to deal with is password sharing. In the following research, we asked the employees themselves who has shared network passwords with one or more of their colleagues.
Just over half (51%) answered ‘I never share my passwords or login details’, with the rest answering that either they shared with colleagues, or with their manager (10%), IT (7%) or just ‘when required’ (10%). A massive 23% said that ‘one or more of their colleagues had their work network password’, meaning a total of 49% have shared their login details for one reason or another.
Age directly correlates with the likelihood of password sharing, with a clear difference in attitudes. It may be that in fact, as younger generations have grown up with multiple online accounts across social media, email, apps and other services, account sharing has become second nature for them.
Another interesting way to look at how habits differ with regards to password sharing is across industry sectors, and in the roles within those sectors. What is perhaps most alarming is when looking at the industries where it is more common than average, a number are in sectors which are likely to be handling sensitive data or one would expect employees to know better. Legal (32%), HR (30%), IT and telecoms (29%) and finance (24%) are all above the industry average.
Another business demographic more likely than others to be password sharing are those who described their relationship with the organisation as a partner (46%) or vendor (73%). This signifies that those working with an organisation in this way are more than twice as likely to share their passwords than normal full or part time employees.
Protecting against password sharing with UserLock
The best way to combat the issue is also quite simple: make it impractical. This doesn’t have to mean making your users’ working lives difficult, but by creating a transparent security policy and using technology to implement it properly, there is no reason why users cannot work in a more secure fashion.
1. Restrict concurrent access
As soon as you make that access personal to the individual they have a real incentive not to share it with others.
2. Restrict network access to departments, devices, workstations and set times
Another level of security which we would recommend from the perspective of reducing surface area available for attack, it seems this is also a reason for people to stop sharing passwords. If your colleague cannot use someone else’s password and login on their own machine, then there is no reason to give them your password.
3. Tracking and alerting on all suspicious Windows account logins
Real time monitoring of all Windows user logins offers protection against shared and compromised Windows user accounts. Alerts offer immediate identification of abnormal account usage and suspicious compromised accounts.
- Irregular account login times
- Login attempts from new IP address, location, workstations or devices
- Simultaneous connections from inside and outside the network
- Connections from a new account direct from an existing account on the same device/workstation
4. Remind users of policy at opportune times
One of the biggest mistakes made by IT departments with regards to security policy is leaving it in an employee handbook or accessible on the intranet; 65% of our IT professionals told us this was how they communicated theirs to employees. Yes, any employee can refer to it whenever they wish, but realistically, how often do you think that is? Not very.
This is where technology can also help. UserLock allows you to set up custom alerts so you can remind users of policy at opportune moments, when it is most relevant to them. A reminder not to share their credentials when they are using them to log in for the day is much more effective than one in the employee handbook they were asked to read on their first day at the company. Alerts in real-time can also be sent when their own credentials are used (successfully or not) to connect to the network. This helps users protect the access and resources that are entrusted to them.
Find out more on how UserLock offers the protection from compromised Windows network accounts