On how many times have you received a phone call or an email from a manager in your group requesting he password of an employee to allow them to log onto their email account?
This request is typically issued when an employees is on annual leave and a call is received from a client or co-worker wishing to know if they have completed a request sent before they left. More often than not a client has sent an email to their account manager before he or she went on vacation, but it was accidentally neglected.
Access to the email account is crucial to prevent embarrassment or to ensure that a sales opportunity is not gone a begging. Maybe the specific employee has failed to configure their Out of Office reply and clients are not aware that they need to get in touch with a different person to get their questions addressed.
In years previously, managers used to maintain a log of all users’ passwords in a file on their computer. Should an emergency occur, they could discover the password and access any user account. However, this is dangerous. Nowadays this is not an acceptable thing to do. It also compromises the privacy of employees. If a password is known by any other person, there is nothing to prevent that person from using those login details any time they like. Since passwords are often used for personal accounts as well as work accounts, sharing that password could compromise the individual’s personal accounts also.
Keeping lists of passwords also makes it more difficult to take action over inappropriate internet and email usage. If a password has been shared, there is no way of ascertaining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login credentials.
IT workers are therefore not allowed to share passwords. Instead they must reset the user’s password, create a temporary one, and the user will need to reset it when they go back to work. Many managers will be ill at ease with these procedures and will still want to maintain their lists. Workers will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and sharing manager access could be perceived as a major invasion of privacy.
However, there is an easy solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be created. Crucial emails will not go unnoticed either. To complete this you can establish shared mailboxes, although these are not always popular.
If this is done in Outlook and a manager may need to set it up in their Outlook program. It will also be a requirement for them to guide staff members how to use the shared mailboxes, and policies might need to be devised. They may have to permanently keep the mailboxes of multiple teams open in Outlook.
There is a different option, and that is to share permissions. It is more difficult to set up this control as it requires an MS Exchange Administrator to allow Delegate Access. Using Delegate Access will make it possible for a person, with the appropriate authorizations, to share an email on behalf of another staff member. This means mailboxes do not have to be accessible all the time. They can just be opened when an email must be sent. This may be perfect, but it will not allow a manager to implement a forgotten Out-of-Office auto-responder.
That would mean a member of the IT department such a domain manager would have to create it. A ticket would need to be filed requesting the action to be completed. This may not be desirable with managers, but it is the only way for the task to be completed without sharing the user’s login credentials or creating up a temporary password which would breach their privacy.
Groups must tackle an ever-growing threat from hackers. In 2019 and 2020, we have witnessed many high-profile data breaches, leading to significant financial repercussions and damaged brand reputation. Password-sharing at work comes with a huge danger for groups. 81% of breaches begin with stolen or weak passwords. When cybercriminals obtain entry to your database, shared passwords make it easier for them to access other sections of your network.
Multi-Factor Authentication to Prevent Password Sharing
When MFA is configured, access is only allowed when the user approves the use of two authentication factors. For instance, they initially complete the password process and then must complete another authentication request. This could be a code sent to a device. Multi-factor authentication, like any security process, works best when employed along with other security strategies.
If a complete ban on password sharing in not in place in your organization, it must be set up as soon as possible. To discover more in relation to password security and some of the key protections you can implement to enhance your resilience against attacks, contact the SpamTitan team now.