Many small businesses share a single email account with multiple employees or maybe a team or department. They may also do this with software accounts. It can seem like a prudent business move. But it’s not. Sharing credentials this way is a major security risk. In fact, the practice causes the lion’s share of cybersecurity breaches in small companies.
Don’t do it. Seriously.
We know you have your reasons. Maybe it’s too expensive to purchase individual accounts for every employee. Maybe your customers are used to contacting you on your shared email account, and you don’t want to inconvenience them. It’s possible that you don't have an IT department, so shared accounts are easier to maintain. Those are all perfectly reasonable reasons that reasonable people give to support their very reasonable actions.
Except that they aren’t. The risks involved outweigh any perceived benefit, and the losses that are possible can dwarf any money or time you’re saving.
So really, don’t do it. Ever.
Why is Sharing Credentials Such a Terrible Idea?
Ask yourself how many people have access to your company’s shared accounts. Your current employees certainly. How about former employees? How many people have come and gone since the shared credentials were created? What percentage of them stored those credentials on their personal devices or on post-it notes in their purse or wallet?
If you know the exact number, you’re in the minority. Most small companies have no appreciation for, nor do they think about how many copies of their critical account passwords are floating out in the world.
What happens when a former employee sells their laptop with your company’s email credentials saved in the browser? What if they lose their phone and some unscrupulous person finds it? And consider the nightmare scenario where a disgruntled former employee logs into your shared accounts from home and deletes critical data or downloads your CRM database and takes it to a competitor.
Sharing credentials is a bad practice because you lose control over critical assets. If you have ten employees and they all have access to a shared email account, how can you tell who to talk to when important messages are accidentally deleted? What if a former staff member, now employed by one of your competitors, logs into your accounts and shares sensitive information with their superiors?
Is sharing credentials “extinction-level asteroid hurtling toward Earth” bad? Probably not. But it’s a close second. The practice won’t wipe out civilization, but it can, and has, wiped out companies.
So please don’t do it. We’re begging you.
Okay, I’m Convinced. What Should I Do Instead?
Nearly every service available to businesses allows for multiple user accounts. Many don’t charge extra for the benefit and most make it easy to set up. If they do charge, bite the bullet and make the investment. In many cases, sharing accounts is a violation of their terms of service, so there are ethical considerations as well.
Make an inventory of every service your company uses and check to see if any shared accounts exist. If they do, change the password so that you are the only person with access. Then take the time to set up individual user accounts for each employee that needs access. Sharing credentials will cease once every employee has their own account.
For formerly-shared email accounts, designate one employee to manage communications, and restrict everyone else. Let your customers know about the change and distribute new addresses for each employee they need to reach.
If it’s crucial for everyone to have access to emails in the old shared account during the adjustment period, have the old account forward messages to each person’s individual inboxes. If your company uses Office 365 or Google G Suite, you can create Distribution Groups and Google Groups respectively to accomplish this.
Both tools are designed to automate the forwarding of emails to a wider audience. That way everyone in the company will still get shared messages, but the shared account will no longer be compromised.
Now That You’re Not Sharing Credentials, Avoid Weak Passwords
There is a hazard to consider when assigning individual user accounts. Each employee sets their own passwords, and you don’t want someone choosing “password” or “BobIsCool”. Each account is a potential access point for hackers, so set password standards.
You can also have employees use a password manager. These create unbreakable passwords and then store them so that memorization isn’t necessary (there are issues with password vaults, so do your research.)
When you can use multi-factor authentication, take advantage of it. Your online security is only as strong as your weakest link. Don’t let Bob ruin it for everyone.
Balance Is Restored
Once each employee has their own credentials you’ll have control over your security. When employees leave you can disable their accounts, removing their access to sensitive information. The employee might still have credentials saved on their devices, but since they’re deactivated they will no longer be a security risk.
As a final protection, update your password sharing policies. Make sure employees understand why the practice is dangerous and that it won’t be tolerated. However, as long as you make sure everyone has separate access there won’t be a need to share passwords.
So are we agreed then? No more sharing credentials? Excellent. We’ll all sleep a little better tonight.