One of the biggest internal security issues every organization has to deal with is password sharing. On Windows Active Directory networks the threat of shared passwords can be alleviated with UserLock.
UserLock’s concurrent login controls and context-aware access restrictions mean IT teams can now control where and how each employee accesses the network. This level of security is not possible with native Active Directory and ensures network access is via a login that is unique the user and not shared.
Why do employees share passwords?
Insider threats represent one of the greatest risks to a business. Even when we consider highly technically proficient hackers, the way they are most likely to access sensitive information is by simply acquiring someone’s password, probably by posing as some figure of authority in order to get them to hand it over.
Many employees see no security risk in sharing passwords and logins (we published original research on this very topic a few years ago).
There’s often a lack of understanding at organizations’ top levels, with many in senior management failing to recognise the risk of sharing login details. In fact, when we surveyed employees a few years ago, many said they shared their password because their manager or boss asked!
This leaves organisations open to the use of social engineering by malicious parties, potentially posing as somebody senior, gaining access to data and systems they shouldn’t have.
To address this behavior, security has to be part of the corporate culture. Bad choices should have consequences that employees are reminded of. Technology such as UserLock can also help both outrightly restrict certain bad behavior as well as helping remind users to make good choices.
Here are five steps to take to stop password sharing.
1. Embed security within the organisational culture
The first point to make is about the education of your users.
Make sure they know that sharing your password with others is not a good idea, even if it is someone in a supposed role of authority. Educate them on how and why internal security represents as much of if not a greater threat than external.
This will mean an on-going commitment to staff training and education, not a ‘tick box’ approach which we know does not work in ensuring staff take on the message and remember. In order to achieve this, IT need help from elsewhere in the organisation. Management needs to understand the issue, and ensure their actions are leading by example. They should understand there are consequences for them too, with the recent Target Corporation leading to CEO Gregg Steinhafel losing his position in the company.
HR have an important role to play here too with pre-employment checks, training and on-going intelligence. Our research shows that they are the least likely people within the organisation to even understand the issue yet it should be part of their role to address. Only 15% of HR people believe that employees are a top security concern.
The most likely cause of a password falling into malicious hands is by that person posing as someone authoritative. Not sharing your password is not a matter of trust, it is a matter of course.
2. Restrict concurrent access
From our research we asked employees what action could their employer take to make them less likely to share passwords, and by far the top answer was ‘if someone using my login meant my own access was restricted’, the option chosen by 29%.
Crucially, this was higher for those younger age groups for whom password sharing is more common, with 37% of 16-24 year olds and 36% of 25-34 year olds choosing this. This was also the top option for those restricted industries that were bad offenders for password sharing. Clearly, people really care about their own network access, and as soon as you make that access personal to the individual they have a real incentive not to share it with others.
Education is a starting point with mitigating the risk of insider threats, but often situations occur where technology can guide users even when they do understand the issues. This is seen in the example of employees in more regulated industries understanding but still willfully subverting security policy.
3. Consider harsh penalties
From our research the next top answer for what would make you less likely to share passwords was ‘if it was made a sackable offence’, selected by 23%.
Now it may be that you don’t want to rule with such an iron fist, but it is worth considering that if you are not openly and consistently dealing with unacceptable behavior, then other employees are getting the message that they can get away with it.
Active punishment can act as an effective deterrent, and if you have ensured that your workforce are educated about the dangers, it is not unreasonable to subsequently punish malpractice.
4. Restrict network access to departments, devices, workstations and set times
From our research the next most popular option was the threat of restriction to departments, devices or workstations.
Another level of security which we would recommend from the perspective of reducing the surface area available for attack, it seems this is also a reason for people to stop sharing passwords. If your colleague cannot use someone else’s password and login on their own machine, then there is no reason to give them your password.
Many answered that restricted times for network access would be an incentive too, an average of 14% stating this was the case.
5. Make delegation easier
While those in more senior positions claim to be security conscious, they do still share passwords occasionally and it tends to be in order to delegate work. Many of our survey base (16%) said that they would be less likely to share their password if delegating work was easier without having to do so.
To manage concurrent access and context-aware restrictions on your Windows Active Directory, download a free trial of UserLock.