Stop your employees from sharing credentials

Need help with a task while you’re out of the office? Sharing your login details with a colleague can seem harmless. However, this seemingly innocent act can lead to unintended consequences, especially if you’re using the same credentials across multiple platforms. Imagine the implications if those shared credentials grant access to your company's network. 

That's why it's crucial to prioritise security over convenience, and prevent password sharing. In this blog, we'll explore the importance of addressing credential sharing within an organisation, the risks it poses, and practical steps you can take to mitigate this risk.

The risks of password sharing at work 

While employees may view password sharing as harmless, it actually exposes organisations to a myriad of security vulnerabilities.

Increased risk of security breaches 

Shared passwords make it much simpler for hackers to gain access to other areas of your network if they break into your system, potentially escalating a minor security issue into a major breach. 

For instance, in June 2021, New York City's Law Department suffered a cyber attack via a single employee's stolen email password. This breach exposed huge volumes of extremely sensitive data, including evidence of police misconduct, the identities of young children charged with serious crimes, and personal data for thousands of city employees. This incident underscores the critical importance of password protection.

Identity and access control 

Sharing passwords among employees complicates tracking and raises the risk of unauthorised access, especially if credentials are shared with individuals at different access levels. 

During termination meetings, a robust security policy ensures immediate account locking to protect corporate systems. Without such measures, a former employee could exploit shared credentials to access systems, and cause damage or exfiltrate data. Therefore, organisations must maintain oversight of who accesses different systems and resources.

Improper storage

It’s also important to consider how a password was shared: was it written on a post-it and stuck to your monitor, where anyone passing by could see it? Or perhaps it was shared via email or a Slack message, which could be intercepted by someone with malicious intent? 

Insecurely shared passwords are a dream come true for opportunists who can easily exploit these vulnerabilities to gain unauthorised access. 

Event attribution

Unique login credentials are vital for each user on shared systems to maintain cyber security. These credentials help you track events and identify the cause if a cyber attack occurs. Identifying the responsible account can prevent further spread and ensure corrective actions are taken swiftly.

Without this traceability, pinpointing the perpetrator becomes challenging, complicating the investigation process and leaving you vulnerable to further attacks. 

Compliance issues

Password sharing can compromise your company’s compliance efforts, risking violations of pivotal regulations like GDPR or HIPAA. This practice undermines the security frameworks designed to protect sensitive data, potentially allowing unauthorised access.

Such breaches can lead to significant legal consequences, including fines and penalties, as well as reputational damage. To ensure compliance, it’s important to implement robust password management strategies and coach employees on the importance of protecting access credentials.

Understanding the motivations behind password sharing

To effectively tackle credential sharing in your organisation, it's key to understand why employees engage in this risky behaviour. There are several motivations, ranging from convenience to malicious intent, and the suitable solution will depend on these underlying causes.

Convenience 

Many employees share credentials out of ease. They might find it easier to share their login details with a colleague than to go through the process of requesting access through official channels. This is particularly common in fast-paced work environments where time is of the essence.

Lack of awareness

Employees might not fully understand the risks associated with sharing their credentials. Without proper education, they may view it as a harmless shortcut.

Malicious intent

In some cases, credential sharing may occur with harmful intent. Disgruntled employees or insiders with ulterior motives may share their credentials to sabotage the company or gain unauthorised access to sensitive information.

Best practices for stopping credential sharing among employees 

Preventing employees from sharing their credentials is a tall order, but a multi-faceted approach can significantly lessen the risk. 

By minimising scenarios where sharing seems necessary or convenient, and implementing clear policies against credential sharing, you can decrease the likelihood of employees sharing credentials as a shortcut. Additionally, educating employees about potential risks can improve awareness. 

Enforce strong passwords 

Encourage employees to create and use strong, unique passwords and enforce complexity requirements to avoid easily guessed passwords. A data-driven Human Risk Management Platform can further enhance organisational password hygiene by identifying reused, weak or compromised passwords and enabling targeted coaching for individuals. 

Implement access controls 

Role-based access controls (RBAC) ensure that employees have access only to the information and resources necessary for their specific roles. This approach not only maintains the security of sensitive data but also reduces the potential damage caused by shared or compromised credentials.

Utilise a password manager

Password managers facilitate proper credential management by limiting the number of passwords an employee needs to remember. This reduces the chances of forgetting passwords and helps identify patterns indicative of credential sharing.

Enable Multi-Factor Authentication (MFA)

MFA requires employees to provide two or more types of identification when logging into an account, such as a password and a code sent to their email or a fingerprint scan. This reduces unauthorised access if credentials are breached or guessed. 

It also protects against employee password sharing by making shared credentials impractical or infeasible. CultureAI can help ensure that MFA is enabled where appropriate and provide visibility into this risk, enabling you to implement necessary interventions.

Implement Single Sign-On (SS0)

Poor credential management often stems from the difficulty of creating and remembering multiple strong passwords. Employees may forget passwords for rarely accessed accounts, leading them to borrow credentials from colleagues. SSO addresses this issue by simplifying the login process, reducing the need for multiple passwords.

‍Protecting against credential sharing with CultureAI 

Effective credential management is crucial for securing the workplace. By implementing access controls, using password managers, enabling MFA, and adopting SSO solutions, organisations can significantly mitigate risks associated with credential sharing and unauthorised access.

CultureAI's Human Risk Management Platform equips you with the tools to monitor and implement these strategies effectively. With CultureAI, gain real-time insight into whether employees are using weak, reused, or compromised credentials and check their use of SSO and MFA. This allows you to deliver automated, targeted coaching or prompt behaviour change with Nudges.