As an IT professional, what is the easiest way you could acquire one of your user's passwords? Most likely, you will simply be able to ask them.
Password sharing is a very serious security issue, yet it tends to be one that is taken rather lightly. Employees share their login credentials with each other on a daily basis, most often because they need to give colleagues access to their machine to delegate work or because they are out of the office.
In some workplaces the practice of password sharing is such a given that they're left lying around, written on post-it notes stuck to monitors.
In our recent report, 'The Insider Threat Manifesto' we asked 500 IT professionals in the UK and US to estimate what percentage of their employees they'd estimate to be sharing their passwords, and the mean average was 19%.
Assuming our survey base was being conservative, as they're quite likely to be when talking about their own organisation's security, that's at least a fifth of all employees in UK and US businesses sharing passwords with their colleagues.
But who is responsible for stamping out password sharing? Is it the IT department? Most IT managers and directors don't think it is their problem, instead citing it as a cultural issue that should be addressed perhaps by HR or the board. Yet board members and HR team see it as an IT concern.
So how do you tackle this problem? The solution is that it must be tackled from two angles, both culturally, in the education of your users, and technologically, by putting actual restrictions in place.
Implement a thorough and transparent security policy
Assuming you have a security policy (which is not a given; 29% of our survey base told us they didn't!), it's imperative that it doesn't just explain what your users should avoid doing - but also why.
That means not just 'don't share your password, password sharing's bad,' as this doesn't give anyone the understanding or incentive to follow the rule.
If you explain that 'password sharing is the greatest threat to internal security for this organisation, and there is significant liability involved for those who choose to share their network login credentials', then they are far more likely to pay attention.
Remind users of policy at opportune times
One of the biggest mistakes made by IT departments with regards to security policy is leaving it in an employee handbook or accessible on the intranet; 65% of our IT professionals told us this was how they communicated theirs to employees.
Yes, any employee can refer to it whenever they wish, but realistically, how often do you think that is? Not very.
This is where technology can start to come in. By implementing network security software that allows you to set up custom alerts, you can remind users of policy at opportune moments, when it is most relevant to them.
A reminder not to share their credentials when they are using them to log in for the day is much more effective than one in the employee handbook they were asked to read on their first day at the company.
Give users an incentive not to share passwords
We touched on how to make this transparent in your policy, but technology can once again take you beyond user education and give a real, and practical, reason not to share their password.
If you disable concurrent logins, users who have shared their password will not be able to login using their own credentials whilst the other user is logged in.
This provides a significant incentive not to do it as it makes it significantly less practical, but it also adds a layer of responsibility; you alone are responsible for your login credentials.
Monitor and respond to suspicious activity
Once this is in place, your users must be liable for the activity conducted with their own login. By monitoring activity on the network and responding to anything suspicious promptly by logging users off or shutting down access, once again you are providing a very real incentive for users not to share their passwords.
Password sharing is prolific, and the reason for it is very simple: practicality. Half of the IT professionals we asked about password sharing said that the most common reasons for it were simply a colleague asking, or to delegate work.
This means that the best way to combat the issue is also quite simple: make it impractical. This doesn't have to mean making your users' working lives difficult, but by creating a transparent security policy and using technology to implement it properly, there is no reason why users cannot work in a more secure fashion.
To learn more about how to manage password sharing and internal security, download The Insider Threats Manifesto.
- François Amigorena is founder and CEO of IS Decisions, a provider of Infrastructure and Security Management software solutions for Microsoft Windows and Active Directory.