Businesses often believe sharing login details, emails, passwords, and user accounts can save time and money. But these perceptions ignore essential information. When you understand the risk of account sharing, you see what you save in money; you risk losing in an attack. What you save in time, you risk doubling in human error. And that’s just the start.
Today we’ll introduce the risks of password sharing and why people choose to share passwords. Finally, we’ll share how to eliminate risks when account sharing is required and give you some user account best practices.
The risks of password sharing at work
When your team shares usernames, emails, and passwords, you are more at risk of accidental error and cyber security threats.
Increased account vulnerability due to reused passwords
People often create passwords based on memorable information, such as your company name and year of establishment. Staff then reuse passwords to avoid a ‘company password index’ or having to remember multiple combinations.
However, this puts companies at a higher risk of unauthorised access from ex-staff and different team members. If the password falls into the wrong hands, it could also take longer for you to reset every password than it would take for the hacker to get in and steal information. If you’d like to know more, it also goes against our password security best practices listed here.
Administrative control enabling anyone to make significant changes
By default, the first user account your business creates on any software will have administrative permissions. Administrative permission means that anyone who has access to this account can update account settings such as login credentials. They will also have full access rights to view all information associated with the account, putting your company at a higher risk of data loss, internal data breaches, and cyber threats.
Potential for malicious use
While you may trust your employees, that trust is never a guarantee. By giving everyone administrative access, not only are you at risk of privacy breaches, but it only takes one disgruntled employee to export your data and close your account forever.
Limited user activity insights for training
Human error is a natural part of the working day. Within a single user account, you can quickly identify and roll-back any changes. However, if someone makes these errors on a user account accessible to several employees, it is almost impossible for IT teams to understand who is accountable for the error. Plus, any roll-back will delete the work of any other team members who have spent hours working within the account since the error.
User activity tracking also provides insights into who may be responsible for accidental or malicious activity. Accurately tracking who did what will be crucial if you undertake an internal investigation or even legal action.
Phishing risk due to no sharing policy or user management procedures
If your team is encouraged to share passwords, they are more likely to share them with others too. A past employee might pretend to have been rehired, or a hacker could easily use sniffing or phishing to capture data from employees who don’t think twice about password security.
Why do employees share logins and passwords?
With all the risks at hand, it can be hard to understand why your staff continue to password share. There are three main reasons your business managers create a single login for different software and online applications.
1. To manage budget limitations
Multiple user accounts can get extremely expensive with little return. As such, password sharing is more common within departments that have limited funding. Additional user accounts are also often an unjustified expense for smaller businesses selling products and services with small margins.
2. To reduce software costs
Between CRM, sales, accounting, and stock management software, subscriptions can add up. On top of the multiple subscriptions, there is often an extra cost per user login. When it comes to cutting budgets, multiple user accounts are often the first to be cut, especially where bigger teams are concerned.
3. To increase convenience
Fewer user accounts reduce the demand on internal IT teams. With a single login, you can also see the same view in an application as your colleague, making collaboration easier. Equally, customers are often used to contacting a single email address, so teams believe multiple accounts will complicate the response process.
How to eliminate the risks associated with credential sharing
We now know the risks of password sharing and why people do it. Here are four key ways to eliminate the dangers of password and account sharing in the future.
Start by creating individual user accounts for every employee with non-administrative permissions
With individual user accounts, you can assign individual permissions for each user. Personalised permissions will improve data protection and reduce the risk of leaking confidential information.
Then ask employees to implement 2FA across their user accounts
2FA is when you use a second method to unlock an account, such as using a password and then receiving a text with a code. Or using a code and then a thumbprint. By implementing two-factor authentication (2FA) the account is protected from shared passwords or hacked phones.
Check-in with your team in person, and monitor their accounts where relevant
Go back to basics and talk to your team. Let them know why they’ve received a new user account and the risks associated with password sharing. You can also use the individual accounts to monitor data exports and permission changes of specific people. The account information will expose training gaps, errors, and cases where user accounts have been compromised or hacked.
Be ready to change or block user access to accounts when an employee leaves
Introduce a mandatory process to thoroughly identify and seize the employee’s work-associated accounts within a set time of their dismissal or notice of leave. Once completed, the employee can’t access their accounts once they have left the company.
Shared user account best practices
Setting up multiple user accounts eliminates many business and cybersecurity risks. But it doesn’t end there. Here are the best ways to maximise security when working with multiple user accounts within a single software.
Introduce a password management software and create an account for all employees
Passwords are notoriously easy to guess. Individuals are still likely to use the same password for their accounts, even with dedicated user accounts. Invest in a password management tool to store and create highly secure passwords. A super secure or encrypted password is particularly crucial when individual accounts for several business tools are not possible.
Encourage regular password refreshes
Set a monthly or regular reminder for all staff to update their passwords. Regularly changing the password will mitigate any accidental or undetected breaches.
Introduce a strong password sharing policy
Educate your staff and implement a strict password sharing policy. Explain to staff how to prevent login credentials from being shared with teams or third parties that do not need access and how to identify a phishing scam.
A non-established password protection process is often a symptom of a more significant data security problem. If you’re concerned about security across your business, talk to our team to learn where you could be at risk and what you can do about it.