Generic / Shared Accounts
Generic accounts and the sharing of accounts are rampant, especially in small businesses, as they can be used to save money on licensing and make accessing information easy. Forgot the password? You don’t need to call anyone to request a password reset; just ask anyone in the office! While it may seem like an easy solution, there are a few reasons it is not an acceptable one:
- Letting multiple people use one account can often be a violation of a software or service’s EULA agreement (you know that big, long legal disclaimer that everyone reads 100% before clicking I agree).
- If you do not rotate the password for any shared accounts every time an employee leaves the company, you now have people outside of your company with access to your data.
- Using shared accounts means you lose the ability to hold individuals accountable for their actions. If someone deletes a whole bunch of critical data under a shared login, you as a business owner do not have any way to hold someone accountable, whether it was accidental or malicious.
Sharing Personal Credentials
The negative effects of sharing personal credentials with coworkers may not be obvious in the moment, but they can have serious negative effects on the owner of the credentials. Like I mentioned before, when multiple people have access to a shared account, no individual can be proven to be responsible for action taken on that account. Similarly, when employees share their personal credentials with someone else, they are essentially taking on responsibility for that person’s actions. If John Smith’s account deletes an important file share, that will show up in the logs. What will not is that John logged into a computer for Sally because she forgot her password and then she accidentally deleted a critical file share. John has put himself in a poor position by giving someone access to something that ultimately, he is responsible for.
Another big problem area is leaving terminated employees’ accounts active. I’ll cover that topic next time.