A ZDNet report described a number of bad security habits in small to medium companies, among which was the headline statistic that 22% of business leaders share their email passwords with co-workers or assistants.
Much of the success of Office 365 is fueled by small to medium businesses, who find it much easier to use cloud services than to deploy their own Exchange and SharePoint servers (a point underlined by attacks on on-premises Exchange servers) . I hope that 22% of business leaders who use Office 365 don’t share their passwords. It’s old-school thinking that doesn’t reflect the reality of today. Sharing passwords is bad practice and it is utterly unnecessary.
Knowing someone’s account password gives you access to much more than their email. You can then log onto Teams and read the conversations in the private teams that person belongs to, or open protected SharePoint documents, or read whatever’s in their OneDrive for Business account, or take part as that person in Yammer conversations. As people move more data into cloud services, knowing personal passwords becomes the key to access all that data rather than just a mailbox.
The sad thing is that no need exists for anyone to ever share the password to their account. Mailbox delegation, shared mailboxes, Microsoft 365 Groups, and Teams all provide other ways for senior people to collaborate effectively and securely with their assistants.
No matter what size your company is, it’s time to stop the awful habit of password sharing now. Make sure that none of your users share passwords, and if you find that some do, be kind but firm and help them understand why what they are doing is so dreadfully wrong.
Better Sharing Options Exist
If people argue back and say that sharing passwords is the only way they can collaborate with their assistants, take the opportunity to prove that they are dead wrong. Clinging to techniques that worked in the 1980s is not a recipe for good IT security or successful collaboration. Point out that a variety of methods exist in Office 365 to allow better and more secure sharing:
Delegate access to folders in their mailbox, including the inbox and calendar, to allow assistants process email on their behalf. Delegation is very straightforward and doesn’t need the delegator to share passwords.
Have their email sent to a shared mailbox where it is processed by their team. Any important email can be sent to a separate private mailbox used by the executive for their most personal and sensitive communications. The private mailbox is hidden from the GAL and only available to certain senders. You can define a list of approved senders (use a distribution list for maximum flexibility) for the mailbox or use moderation to control what email gets through. Using a mix of shared/private mailboxes for executive communications is often used to protect executives in large corporations, but as shared mailboxes are free in Office 365, there’s no reason why the same technique can’t be used in smaller companies.
If they prefer, they could use an Microsoft 365 group instead of a shared mailbox. Microsoft 365 Groups are included in many Office 365 subscriptions and the email that arrives in the group can be responded to by assistants. The benefit of using a group is that it comes along with a SharePoint team site, so it’s easy to handle shared documents. The group can also be used with Planner. Again, the executive can have a private mailbox for their most sensitive and secure email.
If the executive wants to have a secure place to discuss matters with their assistants, they could also consider using a team instead of a group and take discussions out of email. The executive could send messages needing action to different channels in the team (like a “Priority” channel or channels named after projects, or a private channel shared only between the executive and their assistant). The downside of using Teams is that you cannot send email from a team (or on behalf of a user from a team), so outbound communication will still have to be processed by email.
Sensitivity labels with information protection can stop unauthorized access to confidential documents and email even if they are leaked or shared inappropriately.
Microsoft 365 Groups and Teams both support shared calendars, so supporting the executive’s calendar is not a problem. Outlook for iOS and Android support access to shared mailboxes and Microsoft 365 Groups, and Teams has its own mobile client, so there’s no problem getting to information when on the road.
After you use MFA to protect an account, knowing passwords is not enough for others to access the account. They need to have access to the second authentication method, like a mobile phone. Although it’s conceivable that executives might give their mobile phone to their assistants to allow access to their email, implementing MFA in a tenant is an excellent way to begin eradicating password sharing.
Break Old Habits
Executives have different modes of working and the transition from email-based, password-sharing access to mailboxes will be difficult for some (and their assistants). It is sensible to sit down with the assistants to understand the ebb and flow of information and how the executive processes work to come up with the right solution for them. The good thing is that Office 365 offers different highly functional options. The challenge is to pick the right one for the person to help them break the horrible and dangerous habit of password sharing.
The Office 365 for IT Pros eBook goes into great detail about all these topics. Isn’t it worth your while having access to the best and most up-to-date information about Office 365?
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}