Shared Passwords and Accountability

Information Security

Accountability is one principle often forgotten in daily business and many employees don’t take seriously their credentials e.g. usernames and passwords. What would be your reaction if an auditor or a person from a law enforcement agency would like to ask you some questions regarding a fraud in your organization? This is probably the worst case scenario but always possible if you share your information to someone else. Indeed. If you give your credentials to your colleagues and they use it to commit illegal activities, it’s your name that will show up in the transaction logs. This person can act on your behalf in the systems without any indices. Of course, you will be the first one to be investigated because at first, you look just as guilty. You will have to prove that you are not responsible for these transactions and this process could be an unnecessary stressful situation. The accountability’s goal is mainly to allow only one identity per transaction because an organization wants to know who do what and when in their systems. In most enterprises concerned about their accountability’s accesses, be sure that each action will be logged and kept a few months. Never forget that a username and password are like your identity in your organization. The same thing is applicable for other credentials such as an access card. Each time that a reader scans an access card, this event is logged with information about the owner, reader’s place, date and time whether it is really the right owner or not. The only way to reduce credentials shared among employees is awareness. In certain organizations where detection controls are correctly established, accesses will be temporarily suspended if unusual utilizations are detected. In order to reactivate accesses, the employee must have a meeting with organization’s stakeholders concerning this issue.

There are many reasons where you would be tempted to give one of your access to someone else or use common credentials. It’s true. This is often faster than creating a request to the IT department and waiting for a response during a few days. However, sharing accounts are never the solution whether you need new accesses for an ad hoc employee or an intern only for a short period of time. Someone in the organization has the responsibility to authorize new accesses for the resource requested and will verify if accesses should be granted or not. You are probably not the resource’s data owner and you can not make this judgement call. If you don’t have an access to a specific resource perhaps you are simply not authorized to access it and the use of other access will probably cause a security breach. In a large organization, accesses are often granted per role in the way that you will have your own credential but the same permissions that your colleagues at the same level. In an SMB where central identity management is not always in place such as an Active Directory, accesses are managed per application or system basis. This doesn’t mean to create general accesses per role like “administrator” or “staff“. Take the time to create an account for each employee because accountability is always important whatever the resource. Finally, don’t forget to review accesses created and their permissions. If an employee doesn’t need an access anymore, simply revoke it.