Are passwords inadvertently shared? Probably. Does that make it right or smart? No.
Working as an IT internal auditor in the Maine state government, I had an interesting experience trying to stop the bad habit of sharing passwords in the workplace. In one department, the management had allowed a senior manager to collect the log-on and email passwords of the unit's employees. This, of course, went against the IT security policy that prohibits password sharing, but the management resisted changing the policy. They believed that their unit’s mission and objectives were unique and that this arrangement was necessary.
As an auditor, I called a meeting to address this issue and started out like this:
We will discuss the specific IT security policy that prohibits the sharing of passwords. I understand that the unit has a policy that the Assistant Director must have the AD (Active Directory) password of at least a subset of the unit’s employees if not all. This would be a direct violation of the IT security policy. I am not interested in discussing any other aspect of IT policies or operations, past or present.
I am not aware of any other unit in the company with a similar policy. If I were, that unit would receive the same degree of scrutiny. I am not interested in discussing any other unit’s policies or procedures unless anyone knows of a similar policy.
I may have started out a little strong, but the truth is I could not emphasize more how important password security is for any company, especially when dilling with clients' and citizens important data.
Why sharing your password is a bad idea?
The Active Directory (AD) password is meant to be unique to the employee and is not known by anyone else unless they share it, overtly or inadvertently. The members of the help desk who are so authorized CAN reset a password if you forget it but the procedure ensures that even they can’t know what you type as a new password. When that happens, you type in a NEW password that is again unknown to anyone else. Every IT system monitors when passwords are changed, but not what the password is.
What Is The Risk Of Sharing Passwords?
The prohibition to share passwords is a basic and standard internal control around the world. If hackers gain entry into your system, shared passwords make it much easier for them to increase their access to other parts of your network, which can turn a single security incident into a full-blown breach.
But there is something that hits much closer to home when you think about security policies. One of its primary purposes is to protect OTHER employees from inappropriate suspicion in the event that the account is used for inappropriate purposes. It surprises me how easily employees forget about this.
If a password is shared, the person who knows another’s password now becomes automatically suspect whenever that user’s account is used for inappropriate, illegal or unethical purposes. One of the 2 WILL be falsely accused of the violation. If the matter is not resolved, they BOTH will remain under the cloud of suspicion. That is a BAD result.
This works as a similar concept to the requirement that each cashier uses their own cash drawer instead of a shared cash register drawer. If 2 people share a cash drawer and one steals, they both come under suspicion. The employer owes its employees a duty to see that their employees cannot be falsely accused of inappropriate conduct.
Let’s remember that every employee in history who has been convicted of theft, embezzlement, or other crime was hired as a trusted employee. This policy has nothing to do with trust but with self-preservation.
The Maine Attorney General’s office recently terminated the employment of an employee, licensed to practice law in Maine, who is accused of connection to an explicit content violation. Until this was brought to light, this lawyer was considered a trusted employee above reproach. Imagine putting yourself in the situation to have that same password logged in on your computer. I share all of these thoughts with the team, and people were shocked.
The Challenges In Remote Work And Inadvertent Collaboration
During the meeting, many employees argued that even though they knew they were going against IT Security Policy, they usually share passwords to make workflow easier. Some of the questions were: What if an employee has a planned leave? What if they are sick and need someone else to take on their work?
With modern tools, all of these situations are easily manageable. In the case when an employee has a planned leave, email platforms can simply be programmed to forward incoming emails to another person. In the event an employee is sick, they can usually manage to log on from anywhere, activate the forwarding feature, and log off. In an emergency situation, the help desk can perform this action.
In any case, I’m interested in knowing how many such emergency situations have occurred in the past 6 to 12 months in any company, accounting firm, or other types of organizations. But I am not inclined to plumb the depths of history with respect to this one aspect of the discussion.
Are passwords inadvertently shared? Probably.
Does that make it right or smart? No.
The truth is password sharing among employees is a high-risk bad habit that needs to be taken care of sooner rather than later. The prohibition to share passwords is a standard control around the world, and it is important to follow it to protect both the employees and the organization.
Take Care Of The Issue
If you have an accounting firm I urge you to look deeper into how this type of information is been used and if your employees are respecting security policies as they should. If you are an accounting employee, don't share your passwords even if it is your boss asking for them. But most of all, don´t accept other people's passwords, you may be getting yourself into a problem.
The end of the story? There is nothing that challenges employees more than showing the risks to which they are exposing themselves, even more so than those for the company. I was successful in getting the unit to stop sharing passwords.
Benson Dana
Retired CPA and author of "Tales From The Trenches: A CPA Internal Auditor's Stories of Fraud, Internal Controls, Auditing, and Embezzlement".
