Stop Password Sharing Now
A ZDNet report described a number of bad security habits in small to medium companies, among which was the headline statistic that 22% of business leaders share their email passwords with co-workers or assistants.
Much of the success of Office 365 is fueled by small to medium businesses, who find it much easier to use cloud services than to deploy their own Exchange and SharePoint servers (a point underlined by attacks on on-premises Exchange servers) . I hope that 22% of business leaders who use Office 365 don’t share their passwords. It’s old-school thinking that doesn’t reflect the reality of today. Sharing passwords is bad practice and it is utterly unnecessary.
Knowing someone’s account password gives you access to much more than their email. You can then log onto Teams and read the conversations in the private teams that person belongs to, or open protected SharePoint documents, or read whatever’s in their OneDrive for Business account, or take part as that person in Yammer conversations. As people move more data into cloud services, knowing personal passwords becomes the key to access all that data rather than just a mailbox.
The sad thing is that no need exists for anyone to ever share the password to their account. Mailbox delegation, shared mailboxes, Microsoft 365 Groups, and Teams all provide other ways for senior people to collaborate effectively and securely with their assistants.
No matter what size your company is, it’s time to stop the awful habit of password sharing now. Make sure that none of your users share passwords, and if you find that some do, be kind but firm and help them understand why what they are doing is so dreadfully wrong.
Better Sharing Options Exist
If people argue back and say that sharing passwords is the only way they can collaborate with their assistants, take the opportunity to prove that they are dead wrong. Clinging to techniques that worked in the 1980s is not a recipe for good IT security or successful collaboration. Point out that a variety of methods exist in Office 365 to allow better and more secure sharing:
- Delegate access to folders in their mailbox, including the inbox and calendar, to allow assistants process email on their behalf. Delegation is very straightforward and doesn’t need the delegator to share passwords.
- Have their email sent to a shared mailbox where it is processed by their team. Any important email can be sent to a separate private mailbox used by the executive for their most personal and sensitive communications. The private mailbox is hidden from the GAL and only available to certain senders. You can define a list of approved senders (use a distribution list for maximum flexibility) for the mailbox or use moderation to control what email gets through. Using a mix of shared/private mailboxes for executive communications is often used to protect executives in large corporations, but as shared mailboxes are free in Office 365, there’s no reason why the same technique can’t be used in smaller companies.
- If they prefer, they could use an Microsoft 365 group instead of a shared mailbox. Microsoft 365 Groups are included in many Office 365 subscriptions and the email that arrives in the group can be responded to by assistants. The benefit of using a group is that it comes along with a SharePoint team site, so it’s easy to handle shared documents. The group can also be used with Planner. Again, the executive can have a private mailbox for their most sensitive and secure email.
- If the executive wants to have a secure place to discuss matters with their assistants, they could also consider using a team instead of a group and take discussions out of email. The executive could send messages needing action to different channels in the team (like a “Priority” channel or channels named after projects, or a private channel shared only between the executive and their assistant). The downside of using Teams is that you cannot send email from a team (or on behalf of a user from a team), so outbound communication will still have to be processed by email.
- Sensitivity labels with information protection can stop unauthorized access to confidential documents and email even if they are leaked or shared inappropriately.
Microsoft 365 Groups and Teams both support shared calendars, so supporting the executive’s calendar is not a problem. Outlook for iOS and Android support access to shared mailboxes and Microsoft 365 Groups, and Teams has its own mobile client, so there’s no problem getting to information when on the road.
Deploy MFA Now
Using basic authentication to connect to Exchange Online exposes mailboxes to attack, including business email compromise attacks. And accounts that are only protected by passwords, especially those shared with other people, are more likely to be pwned. Every account used by senior personnel and those used by administrators should be protected by MFA and you should check the MFA status of accounts periodically.
After you use MFA to protect an account, knowing passwords is not enough for others to access the account. They need to have access to the second authentication method, like a mobile phone. Although it’s conceivable that executives might give their mobile phone to their assistants to allow access to their email, implementing MFA in a tenant is an excellent way to begin eradicating password sharing.
Break Old Habits
Executives have different modes of working and the transition from email-based, password-sharing access to mailboxes will be difficult for some (and their assistants). It is sensible to sit down with the assistants to understand the ebb and flow of information and how the executive processes work to come up with the right solution for them. The good thing is that Office 365 offers different highly functional options. The challenge is to pick the right one for the person to help them break the horrible and dangerous habit of password sharing.
The Office 365 for IT Pros eBook goes into great detail about all these topics. Isn’t it worth your while having access to the best and most up-to-date information about Office 365?