You likely read this article title and thought to yourself “No way – my users don’t share passwords!” It’s reasonable to think that. After all, you do know your users best. However, let’s suspend your disbelief for a moment and consider the ramifications should such an activity be occurring within your organization.
One of the greatest risks to an organization today is the threat of data breach. Cyber criminals and insiders alike are keenly aware of the value of corporate data. With the split of data breach threat actors being 75% external and 25% internal1, each actor scenario becomes more risky when password sharing is added to the mix.
In external attacks, threat actors seek out credentials to leverage as a means to expand their presence in your network. Should users share passwords, the threat actor has access to that many more sets of credentials on a given endpoint, increasing their chances of success. In insider threat scenarios, the malicious insider only has whatever access their own credentials provide them. But should they be the recipient of shared credentials, they potentially increase the scope of data they have access to as the basis of committing data theft, fraud, etc.
But, is password sharing really a thing with users?
In a word, yes. In a recent study we held, 49% of employees (from key departments like legal, HR, IT, Finance, and more) stated they share their credentials with fellow employees2.
So, you have about half your users who are sharing passwords without giving it a second thought. And, while you’re still very much at “not where I work”, I’d submit to you that you’ve never really asked users if they are sharing passwords, have you? And even if you did, they know very well it is frowned upon – if not downright against company policy – so they’re not exactly going to tell you “Oh yes! I share my password with Sally all the time!” Believe the data – your users are sharing passwords.
So, how do you put a stop to password sharing?
There are a few steps to take:
Step 1 – Implement and Communicate Company Policy
The rise of Shadow IT in previous years has taught us users left to their own devices will work around IT to get their job done. This can include password sharing. So, establishing a company policy prohibiting password sharing – and then communicating it to users – is the first necessary step. Remember, it’s not bad until you tell them it is.
Step 2 – Enforce Policies with Controls
Assuming you’re working in a Microsoft environment, Active Directory does have some level of control around from which workstations and at what times of day a given user can log onto the network. While these are limited in scope at best (in reality, AD somewhat fails at providing true access controls), you should put something in place to limit when and where Sally’s password can be used by another user.
A more advanced set of controls, such as limiting concurrent logons and forcing logoffs outside of allowed times, are only found by using third-party solutions.
Step 3 – Monitor Logons
Steps 1 and 2 are really about putting in place an environment that is not friendly to users sharing passwords. But to be certain these policies and controls are working, it’s necessary to know who is logging on where and when. Nothing beats visibility into whether Sally has logged onto two machines simultaneously, or is logging on from home on a Sunday morning at 3am.
Unfortunately, Microsoft does little to centrally monitor logon activity – it’s logged on a per-system basis and requires, at a minimum, centralizing event logs mixed with some kind of analysis and alerting.
What you’re trying to get here is not just information – such as when each user logs on – but actionable intelligence where you are informed of abnormalities that potentially are either violations of company policy or clear red flags of inappropriate behavior.
Since solutions focusing on centralizing event logs don’t normally have analytics (to look at multiple events to see when Sally’s logons look out of the norm), you should be looking for a third-party solution that specifically monitors logon activity.
Stopping Password Sharing
At a minimum, by now you are at least in the “OK – so password sharing’s a real thing” camp and realize you need to do something about it. By taking steps to put policy, controls, and monitoring in place, you can minimize – if not completely stop – password sharing. This will reduce your organization’s risk of both internal and external threats, as well as create a more secure environment overall.
1 Verizon, Data Breach Investigations Report (2017)
2 IS Decisions, Insider Threat Persona Study (2017)