Password sharing might seem harmless at first but it can lead to serious problems for HR. Here’s how – and why – you should stop it.
IT expert and professional penetration tester Asher DeMetz says the biggest problem about password sharing is that the code very often gets written down.
“Password sharing is a security risk because the password gets written down,” he explains, “and what is written down can be seen by the wrong pair of eyes.”
“Ethical hacker” DeMetz says one of the most common causes of password sharing is because employees can’t gain access to a certain application – “Frequently it is because someone needs a resource they don’t have permission to access,” he explains.
It’s often easier for a senior employee to simply hand over their password on a piece of paper than get temporary access granted by IT but DeMetz insists this “harmless” act is actually a big deal because even if the employee can be trusted, it’s likely they’ll write the password down and another worker, with less innocent intentions, could come across it.
Not only does this make your organization more vulnerable to cyber-attacks, it means an employee could gain access to a plethora of sensitive information – from performance reviews and personnel complaints to salary figures and financial situations.
So what can HR do to stop password sharers – and any potential hackers – in their tracks?
“Password security is all about modifying employee behaviour,” says DeMetz – not about issuing more complex passcodes or having multiple sign-ins.
No matter how many numbers, symbols or upper-case letters you make your employees include in their passwords, the moment they write it down and share it with someone else, they’re putting your organization at risk.
Here are four steps DeMetz says all HR departments should take immediately:
- Set expectations from the top
- Make permissions a priority
“If you make it a priority to process permission requests, people are more likely to go about things the right way, rather than jotting their passwords down and sharing them,” says DeMetz.
- Move to a single sign-on
“When companies make the move to single sign-on, where a single password provides access to multiple systems and applications, people tend to be less likely to share their password because it would give the other person an “in” to systems they don’t want them to access – such as email or personnel files,” he explains.
- Educate employees
“Take the time to explain how password sharing places the company at risk,” says DeMetz. “Those scrawled-on sticky-notes are the keys to the kingdom for corporate hackers.”