Why HR needs to put an end to password sharing

Password sharing might seem harmless at first but it can lead to serious problems for HR. Here’s how – and why – you should stop it.

Password sharing might seem fairly harmless at first but it can lead to a whole host of problems for HR – here’s how (and why) you should put an end to the potentially damaging practice.

IT expert and professional penetration tester Asher DeMetz says the biggest problem about password sharing is that the code very often gets written down.

“Password sharing is a security risk because the password gets written down,” he explains, “and what is written down can be seen by the wrong pair of eyes.”

“Ethical hacker” DeMetz says one of the most common causes of password sharing is because employees can’t gain access to a certain application. “Frequently it is because someone needs a resource they don’t have permission to access,” he explains.

It’s often easier for a senior employee to simply hand over their password on a piece of paper than get temporary access granted by IT but DeMetz insists this “harmless” act is actually a big deal because even if the employee can be trusted, it’s likely they’ll write the password down and another worker, with less innocent intentions, could come across it. 

Not only does this make your organisation more vulnerable to cyber-attacks, it means an employee could gain access to a plethora of sensitive information – from performance reviews and personnel complaints to salary figures and financial situations.

So what can HR do to stop password sharers – and any potential hackers – in their tracks?

“Password security is all about modifying employee behaviour,” says DeMetz – not about issuing more complex passcodes or having multiple sign-ins.

No matter how many numbers, symbols or upper-case letters you make your employees include in their passwords, the moment they write it down and share it with someone else, they’re putting your organization at risk.

Here are four steps DeMetz says all HR departments should take immediately:
  1. Set expectations from the top
“Get upper management involved,” advises DeMetz. “People aren’t going to stop sharing passwords because a nameless person in IT bleats ‘Hey, don’t do that!’ They’re going to stop sharing passwords when the CEO, CIO, CISO and the rest of the top guns say, ‘You will NOT share passwords – and if you do, you’re going to get more than a slap on the wrist.’”
  1. Make permissions a priority
Talk to IT and make it as quick and easy as possible for employees to get access to a new application.

“If you make it a priority to process permission requests, people are more likely to go about things the right way, rather than jotting their passwords down and sharing them,” says DeMetz.

    3. Move to a single sign-on

Multiple passwords are a stupid idea, says DeMetz – single passwords are actually a major motivator for employees to stop the sharing.

“When companies make the move to single sign-on, where a single password provides access to multiple systems and applications, people tend to be less likely to share their password because it would give the other person an “in” to systems they don’t want them to access – such as email or personnel files,” he explains.

    4. Educate employees 

It’s easy to understand why employees don’t see password sharing as a major issue and, until you educate them on the risks, their behaviour won’t change.

“Take the time to explain how password sharing places the company at risk,” says DeMetz. “Those scrawled-on sticky-notes are the keys to the kingdom for corporate hackers.”