At work, many of you share your accounts and passwords. 50% say they don't talk to IT departments when they share their credentials. Access sharing is a very common practice in companies.
However, at the same time, if you are asked: do you share your phone code, your bank code or even that of your favorite social networks? The answer is a big NO!
And for good reason, those who have done so have sometimes encountered this misadventure: their account was hacked by a vengeful ex-boyfriend or an old best friend...
What are the reasons that drive an employee to share their password?
In a study carried out by ISDecisions, employees were asked to give reasons for sharing their password or requesting access:
🔸 32.3% a manager asks for it
🔸 27.7% grant access during an absence
🔸 22.3% IT asked for it
🔸 18.3% delegate work
🔸 13.4% a colleague asked
🔸 8.8% I gave someone access
🔸 4.2% I asked someone for access because I didn't have access otherwise
🔸 1.3% I forgot my password and I borrow someone else's
What stands out and is very surprising is the number one reason for access sharing, which comes from a manager's request. This shows that management is not at all aware of the issue of cybersecurity.
We can also ask the question differently. Why are so many employees driven to use other people's access credentials? The problem largely comes from IT.
- Short-term contracts require as many account creations as long-term contracts, except that short-term contracts are more numerous. These repetitive actions take time for IT, which prefers to create only one non-nominative account and promote sharing.
- Account creation request processes are poorly understood or complex, which discourages employees and managers from making official requests.
- Awareness of the risks of password sharing is not carried out. According to the study, 52% of respondents do not see any risk in sharing their access, and 54% among senior managers.
Too much trust is placed in colleagues, and the situation of password sharing in the company is not at all compared to situations of access sharing in the private sphere.
For example:
▶️ Share your work email password VS share your personal email password.
▶️ Share your professional software password VS share your Instagram password.
We can also look at the 13.4%: a colleague asked me! This perfectly demonstrates the blind trust in colleagues and, above all, the lack of awareness of password sharing.
This figure clearly shows the total lack of interest in the risks associated with this sharing, because it concerns the company and not a physical person. That is mainly where the problem lies. We are not affecting a person but an entity, and we do not have the same approach or empathy in both cases.
If we were to ask these same people if they would share a colleague's access, I think that number would drop drastically.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
What are the risks of sharing your access?
While 52% of employees see no risk in sharing passwords, the risk is very real.
- Giving access to a manager or their manager is giving even more data to someone who is already in a position of strength (great access to data by their status). There may also be a conflict of interest in sharing certain data with a manager from another department, for example.
- When an account is accessed by multiple people, who is responsible in the event of an incident? It is very likely (and even logical) that it is the access holder who will bear consequences that they had not foreseen. In the case where access is shared within a department and this is 'official', it will be difficult to formally assign blame to one person. It is difficult to isolate the black sheep with shared access.
- The person requesting access may not be authorized to view certain data. There is no access rights management. If the person does not have good intentions, they can easily harm the company.
In this regard, corporate security probably needs to be reviewed, as 82% of respondents say it would be easy to access sensitive information to which they are not entitled. This means that people know people who could show them sensitive information, or they are directly aware of access that allows them to see this sensitive information.
- In this context, what is the role of access rights management when the company does not really control its access? In this case, we could talk about visible and hidden access. Managing hidden access is unfeasible, and IT departments face a major contradiction: why spend time determining who has access to what when everyone will do what they want anyway?
- When passwords are shared, there is no longer any control over entitlement management, which encourages active accounts to be held by employees who have left. You know, that colleague who leaves but has access to software that was very useful for the whole team. There is a history, everything is configured, already in place, so why close this account to open a new one with all the inconveniences that this implies? So, we leave the account open.
Imagine what could happen if these accounts give access to sensitive information that could be used by the competition. Imagine what an angry ex-employee could do with certain accesses. According to the study, 36% of former employees still have active access after they leave.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
What solutions are available to prevent password sharing 🙃?
These password-sharing practices create what are called ghost users or shadow IT.
❌ to punitive actions
In order to avoid punitive actions that will not have a positive impact on the process and could even worsen the situation, it is preferable to start from the basic observation that half of users share at least one access with a colleague and do not see why this could be a problem; they must then be made aware. Rather than talking about 'obligations', let's talk about the risks and concrete consequences in the life of the employee.
An open discussion
An open discussion from IT services towards users will, in the medium and long term, have much more positive repercussions. Facilitating account creation and opening up dialogue on software needs will avoid shadow IT.
Risk awareness is therefore the key to the fight.
Streamlining procedures
On the other hand, from an IT perspective, it is crucial to implement solutions to simplify account creation and suspension. Turning to an IAM solution is relevant. IAM is the management of users and their accounts. An Identity & Access Management platform will allow you, among other things, to automate your account creations and suspensions using workflows and a connection between your HRIS and your Active Directory (or other directory). Arrival and departure information is processed automatically by the solution, and IT will no longer be in the dark.
Thus, account creations will no longer be a burden for IT departments, and the application of an IT security policy will be easier to implement.
An identity and access management solution will also allow IT to control the access rights of each user and implement monitoring for certain sensitive groups.
Password reset
Self-resetting passwords is also an excellent solution to address password sharing requests due to forgotten passwords. Users will be reluctant to admit their forgetfulness to the IT department, knowing it will take time, perhaps involve a written procedure, a request to their manager, etc.
A solution that allows users to reset their passwords will offer two enormous advantages:
- autonomy for users and therefore a decrease in sharing requests
- a gain in time for IT departments, eliminating a task with no added value.
Reminder, here are some rules regarding passwords.
