At work, many of you share your accounts and passwords. 50% say they don't discuss it with IT departments when they share their logins. Access sharing is a widespread practice in the workplace.
Yet at the same time, if you're asked: do you share your phone code, your bank code or even your favorite social networks? The answer is a resounding NO!
And for good reason, those who have done so have sometimes encountered this mishap: they've had their account hacked by a vengeful ex-boyfriend or former best girlfriend...
What are the reasons why employees share their passwords?
In a study conducted by ISDecisions, employees were asked to give reasons for sharing their password or requesting access:
🔸 32.3% a manager who asks for it
🔸 27.7% give access during an absence
🔸 22.3% IT requested it
🔸 18.3% delegate work
🔸 13.4% a colleague asked
🔸 8.8% I gave it access to someone
🔸 4.2% I asked someone for access because I didn't have access otherwise
🔸 1.3% I forgot my password and borrow someone else's
What stands out, and is very surprising, is that the No. 1 reason for sharing access comes from a manager's request. This shows that management is not at all aware of the issue of cybersecurity.
The question can also be asked in another way. Why are so many employees driven to use other people's access? Most of the problem lies in IT.
- Short contracts require as many account creations as long contracts, except that short contracts are more numerous. These repetitive actions are time-consuming for IT, which prefers to create a single, non-nominative account and encourage sharing.
- The processes for requesting account creations are unfamiliar or complex, which discourages employees and managers from making formal requests.
- Awareness of the risks of sharing passwords is lacking. According to the survey, 52% of respondents see no risk in sharing access, and 54% of senior managers.
Too much trust is placed in colleagues, and the situation of sharing passwords in the workplace is nothing like that of sharing access in the private sphere.
▶️ Share your work email password VS share your personal email password.
▶️ Share your professional software password VS share your Instagram password.
We can also look at the 13.4%: a colleague asked me about it! This perfectly illustrates the blind trust in colleagues and, above all, the lack of awareness of password sharing.
This figure clearly shows the total lack of interest in the risks associated with this sharing, since it concerns the company and not an individual. That's where the problem lies. We're not touching a person, but an entity, and we don't have the same approach, empathy in both cases.
If these same people were interviewed and asked whether they would share a colleague's access, I think this figure would drop drastically.
Go to our price list page!
Or speak to an expert at09.70.70.41.42
What are the risks of sharing access?
While 52% of employees don't see any risk in sharing passwords, it's a very real one.
- Giving access to a manager or his or her manager means giving even more data to someone who is already in a position of power (great access to data due to his or her status). There may also be a conflict of interest in sharing certain data with a manager in another department, for example.
- When an account is accessed by several people, who is responsible in the event of an incident? It's highly likely (and even logical) that it's the access holder, who will pay for the consequences he or she didn't foresee. In the case where access is shared within a department, and this is 'official', it will be difficult to attribute blame to a single person by being formal. Black sheep are hard to avoid with shared access.
- The person requesting access may not be authorized to view certain data. Access rights are no longer managed. If the person doesn't have good intentions, he or she can easily harm the company.
In this respect, company security probably needs to be reviewed, as 82% of those questioned said it would be easy for them to gain access to sensitive information to which they were not entitled. This means that people either know people who could show them sensitive information, or they have direct knowledge of access to sensitive information.
- In this context, what is the role of authorization management when the company has no real control over its accesses? In this case, we could talk about visible and hidden accesses. Managing hidden access is unfeasible, and IT departments come up against a major contradiction: why spend time determining who has access to what, when everyone can do as they please anyway?
- When passwords are shared, there is no longer any control over authorization management, which encourages employees who have left to gain access to active accounts. You know, that colleague who leaves but has access to software that was very useful for the whole team. There's a history, everything's set up, already in place, so why close this account to open a new one with all the inconvenience that entails? So we leave the account open.
Imagine what could happen if these accounts gave access to sensitive information that could be used by the competition. Imagine what an angry ex-collaborator could do with some access. According to the study, 36% of ex-employees still have active access after their departure.
How can I avoid sharing passwords 🙃?
These password-sharing practices create what is known as shadow IT.
❌ to punitive actions
In order to avoid punitive actions which will not have a positive impact on the process, and which could even worsen the situation, it's best to start from the basic observation that half of all users share at least one access with a colleague, and don't see why this could be a problem. Rather than talking about 'obligations', let's talk about the risks and the concrete consequences for employees.
An open discourse
An open approach to users on the part of IT departments will have far more positive repercussions in the medium and long term. Facilitating the creation of accounts and opening up dialogue on software requirements will prevent shadow IT.
Raising awareness of the risks involved is therefore the key to success.
On the IT side, however, it's crucial to implement solutions that simplify account creation and suspension. Turning to an IAM solution makes sense. IAM is the management of users and their accounts. Among other things, an Identity & Access Management platform will enable you to automate account creation and suspension using workflows and a connection between your HRIS and your Active Directory (or other directory). The solution automatically processes arrival and departure information, so IT is no longer left in the dark.
In this way, account creation will no longer be a burden for IT departments, and the application of an IT security policy will be easier to implement.
An identity and access management solution will also enable IT to control the access rights of each user, and to set up monitoring systems for certain sensitive groups.
Self-resetting passwords is also an excellent solution for dealing with requests to share passwords due to forgetfulness. The user will be embarrassed to admit his forgetfulness to the IT department; he knows it's going to take some time, perhaps involve a written procedure, a request to his manager, and so on.
A solution that allows users to reset their own passwords offers two enormous advantages:
- autonomy for users and therefore fewer sharing requests
- time-saving for IT departments, who no longer have to perform a task with no added value.
As a reminder, here are a few password rules.