In December an MP tweeted that she regularly allows staff to share the log in for her work computer. Not only this, she tweeted that she regularly sits down at her desk and asks others what her password is. Surprisingly, she is not the only one who does this. In fact, several other MPs took to Twitter to say that they also allow members of their staff to use their credentials to access their work computer. The MP defended herself by saying that there is nothing on her computer apart from her email.
The MP tweeted that due to the volume of emails that she receives on a daily basis from constituents, it was only possible to deal with these by delegating some of the responsibility for monitoring them to other members of her staff.
Now I get that she trusts her staff and I am not about to cast any doubt on their integrity, but there are no acceptable circumstances that I can think of when it would be acceptable to share log ins and passwords with anyone. EVER.
Sharing log ins poses many issues. The more people know your password, the more chance there is that it will be unintentionally leaked to someone who shouldn’t have it. Rather than targeting just one person in an attempt to find out the password, in this case hackers can target four or five people that could accidentally divulge that information.
There are many tools available that allow users to share things like email inboxes and calendars with others in your organisation. Delegated mail boxes allow users to give access to others without sharing your actual log in details.
The advantage of this is that there will then be a clear audit trail of who has done what with the account. It would then be possible to see who and when sent an email without any ambiguity.
There are many options for sharing files with other users as well. These can be as simple as using a tool like Google Drive which allows you to share only selected files or folders with specific people or groups. Again, there is the advantage of having accountability to who has done what with those files.
Imagine a malicious file is downloaded, or sensitive information is deleted on a computer where people are sharing a log in. How do you know which of the users did it? There is no way you can tell for sure . However, if the network is set up correctly, there will be a much better chance of finding out what happened and who is responsible.
If you want to know more about how you can prevent sharing of log ins for your organisation, please email [email protected] for more information.
Written on 10 January 2018