Know who else shares passwords? IT depatments

Users get a lot of heat for poor password management, and it’s mostly justified. But a new survey from Centrify finds that IT can be just as guilty of sharing credentials, if not more so. 

Centrify found that:

  • 59% of IT managers shared passwords with other employees at least somewhat often, and
  • 52% shared credentials with contractors at least somewhat often.

This is bad news on its own, but it gets worse. While many IT pros surveyed said they’re able to revoke access to these accounts the day the contractor or employee leaves, almost half indicated that it could take a week or more to get them off the systems.

As a result, 82% of companies that use contractors regularly said it would be at least somewhat easy for these vendors and partners to access old data, and 53% said it would be at least somewhat easy for former users to access company data after leaving their jobs.

Not enough of a wake-up call

With so many public and embarrassing instances of insider threats, you’d think this information would be a wake-up call to companies. Yet IT pros often find themselves pushing for better password policies, only to be turned down by the top brass.

Centrify’s survey found that:

  • nearly half (48%) have had to fight with their companies to get stricter security measures in place, and
  • 42% of these IT pros have been turned down on requests for stricter protocols.

It’s tempting to say that these organizations would learn the lesson the hard way. But the lesson doesn’t always seem to get through then, either.

More than half of respondents (55%) said their organization had been breached in the past year, and 44% of them said that the breach had cost the organization more than thousands of dollars.

Trust isn’t enough

Most users are at least somewhat aware of the importance of good passwords, even if getting them to follow those policies is a herculean effort.

For IT to be lax about enforcing the one-user, one-account policy is understandable. There are times when you’re all-hands-on-deck, and every second counts – which doesn’t leave much time for setting up new accounts.

But IT should strive to be good role models for users and follow their own password and off-boarding steps.

Where to focus

Some areas you may want to consider addressing in your own department:

  • Updating passwords. This is a sure-fire way to keep unwanted eyes out. If somehow you miss a user leaving the organization, an expired password will prevent him or her from dropping by the network uninvited later.
  • Setting single-user policies. Only 56% of companies had a one-user-per-account policy, according to Centrify. Besides being a good security measure, this makes good business sense. It’s possible that the vendors’ terms and conditions ban multiple users – which could leave you paying penalties or locked out of contracts.
  • Requiring multi-factor authentication. This is easier said than done in many cases, but it pays off. If former users only have a password but need an individually created code to access information, they’ll be unable to access that data. One caveat: If the code is sent to a cell phone or email address they still have access to, this authentication method won’t protect you at all.
  • Limiting access from the start. Most (62%) of organizations said they had too many privileged users, period. Get that under control first, then try to make sure that only privileged users are accessing those accounts with valid credentials.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy