No matter how many numbers, symbols or upper-case letters you make your employees include in their passwords, the moment they write it down and share it with someone else, they’re putting your organization at risk.
Here are four steps DeMetz says all HR departments should take immediately:
- Set expectations from the top
“Get upper management involved,” advises DeMetz. “People aren’t going to stop sharing passwords because a nameless person in IT bleats ‘Hey, don’t do that!’ They’re going to stop sharing passwords when the CEO, CIO, CISO and the rest of the top guns say, ‘You will NOT share passwords – and if you do, you’re going to get more than a slap on the wrist.’”
- Make permissions a priority
Talk to IT and make it as quick and easy as possible for employees to get access to a new application.
“If you make it a priority to process permission requests, people are more likely to go about things the right way, rather than jotting their passwords down and sharing them,” says DeMetz.
- Move to a single sign-on
Multiple passwords are a stupid idea, says DeMetz – single passwords are actually a major motivator for employees to stop the sharing.
“When companies make the move to single sign-on, where a single password provides access to multiple systems and applications, people tend to be less likely to share their password because it would give the other person an “in” to systems they don’t
want them to access – such as email or personnel files,” he explains.
- Educate employees
It’s easy to understand why employees don’t see password sharing as a major issue and, until you educate them on the risks, their behaviour won’t change.
“Take the time to explain how password sharing places the company at risk,” says DeMetz. “Those scrawled-on sticky-notes are the keys to the kingdom for corporate hackers.”