5 ways to prevent "My password is on the post-it note".

49% of employees share their password for what they think is a justifiable reason, for example sharing their password with their line manager during a period of absence, according to research by IS Decisions. Quite different to when respondents were asked outright "Do you share your password?" with only 23% saying yes. Password sharing is an issue all organisations face and is a difficult one to eliminate, probably impossible. But there are ways to mitigate this issue.

Issues of sharing passwords

Multiple devices, BYOD and the need to access various applications all intensify the password sharing issue. Sharing your password can appear to be a non risky act when sharing it with a colleague who you have known for a while. What would they possibly do? Well, it's likely they wont do anything intentionally but it's the unintentional acts that could be devastating. If a password sharing culture is created it is very easy for passwords to fall into the wrong hands who intentionally want to cause damage. But interestingly, according to the IS Decisions survey, 82% of employees are still under the belief they can access sensitive information if they wanted to. This is a huge proportion with little confidence in the security controls of their organisation.

Likewise the increase in use of multiple devices and BYOD presents additional problems. Of those surveyed, 23% agree that having multiple devices makes managing their logins more complicated. More devices, more applications needed to secure them, therefore more logins required and increased risk of forgetting login details, this in turn could encourage password sharing. This indicates there is potential for password sharing to increase in line with the increased use of BYOD.

Environments where there are a desperate number of systems with various levels of access can exacerbate the password sharing issue. It makes access control difficult to manage with the increasing need to get work done therefore sharing passwords is more attractive. This in turn potentially exposes employees to information they should not see. There is also more margin for accidental error with employees dealing with systems and data where they may not have had training or made aware of it's importance.

These issues not only risk a potential breach and destroy your reputation but ultimately it requires support from senior management. Rather than a "do as I say not do as I do" approach, senior management need not only to be part of the policy development and approval but also to be seen to reinforce the policies. They need to understand the risks and communicate those risks to their teams. From the IS Decisions survey 54% of those in senior management fail to recognise the risk of sharing login details. If there is this, almost, "bury your head in the sand" attitude at this level then password sharing will be rife further down the organisation. Viewing this as "it will never happen to us" not only presents serious implications but is a very naive point of view.

Numerous issues are associated with password sharing. The ultimate price to pay for password sharing will be a defunct reputation. Not only can a breach destroy it in minutes but also have serious implications for your clients. If it is their information that is affected by the breach it will also be their reputation at risk. It may be their information is not directly affected but they are now associated with an organisation that looks like they don't take security seriously.

If these issues are not enough to make you sit up and take password sharing seriously here is a further list of reasons why we shouldn't allow password sharing within our organisations:

• Can't track who is accessing what data
• Data accuracy and integrity is at risk
• Auditors who see password sharing could deem the organisation as non-compliant
• More difficult to monitor suspicious activity

But why are employees password sharing?

Access to various applications requiring different logins creates a myriad of password sharing issues. When an employee requires access to an application and are presented with the words "you need to call IT" in some organisations this presents them with fear. The thoughts of a long wait on the phone sends a shiver down the spine and adds to the stress of an already increasing work load. Because of this, the employee can resort to asking colleagues to share their access "while I'm waiting for IT" or not bother calling in the first place because they know it will take a while and they need to get a job done. Asking their colleagues for their password makes getting the job done quicker and is just more convenient.

The password policy provides direction to the employee but this too could be a double edged sword. In an environment where there are are many applications required to be used to perform a job, it becomes convenient to share a password if the employee needs "one off" access or someone is absent from the office. Together with numerous passwords to remember it becomes an onerous task.

Additionally, a complicated password policy can add to the frustrations and have the opposite effect and encourage password sharing. The purpose of the policy was to secure the organisations systems but has become too onerous and complicated the employees don't understand or remember it. Not being able to remember the password continually will divert the employee to refer to their colleagues to share passwords.

What can we do to reduce the issue of password sharing?

The following are some suggestions of ways to reduce password sharing and as a result reduce or eradicate some of the issues that occur. This is not an exhaustive list but will provide the foundations at least for further research and analysis.

1. Look to discover why password sharing is happening. Is it because they have to access many applications, each with their own login details? Or maybe IT have acquired a reputation of not being responsive to password changes or unlocking accounts? Is the location of data an issue? For example, is the information stored in an email? By looking at the reasons why employees are sharing passwords will help reduce the issue. Password sharing may be an indication of another issues elsewhere within the firm.
2. Assess the job roles themselves. Maybe the individual job role has evolved over time and should have their access levels reviewed. Maybe the employee was given incorrect access from the outset due to a poorly written job description? Does the job role require access to various applications on a regular basis? Assessing the requirements of the job role from the very beginning could save potential password sharing further down the line. If the access levels are very high, consideration to nominating a back up job role to step in when absent will ensure the job is completed appropriately.
3. Applications that support single sign-on reduce the number of passwords needed. With other technical controls in place this becomes very useful. Mobile management software can also help with password management and the issue of requiring several passwords within a BYOD environment.
4. A clear Information Security policy and password policy that is communicated to all employees will provide direction and understanding. Ensuring the password policy is not unnecessarily complicated will make it easier for employees to remember their passwords.
5. Education. By making employees aware of the policies and procedures will help them understand what is required of them. Educating the employees on what they can access and why, ensures clear understanding. Whilst there is a need to understand the risks to your organisation this needs to be included as part of the education. If employees don't understand the risk they wont fully understand the problems they are causing. By incorporating training and awareness as part of a targeted communications plan is a very powerful tool for educating employees.

Finally, the ultimate repercussion of sharing passwords for any organisation is a breach. This breach could result in the loss of employment due to not following policy. If it is proved that password sharing is a reoccurring incident or password sharing is rife within the organisation and not enough controls have been but in place, it could be viewed as negligent resulting in potential fines for the organisation. There are various solutions that can be put in place with some of them listed above but none of this will work without the support from senior management. Their by-in and commitment needs to be demonstrated in order to show this issue is being taken seriously. Without this key factor any other solution will be a waste of time and money.

Is this a major issue for your firm? What solutions have you implemented that have worked for you? How committed are your senior management? I would be interested in your thoughts, please leave a comment below.