Nadine Dorries, a British MP, has made news over the past few weeks after admitting on Twitter that she shares the password to her work PC with other staff in her office and even “interns on exchange programs”. According to Dorries, the main reason for this is that her staff can access a shared mailbox on the PC and reply to constituents. More worrying still, in wake of the backlash directed at Dorries, other MPs have come forward and admitted to the practice, revealing a worrying trend. In a further statement that showed up Dorries’ lack of data protection savvy, she tweeted that since she was backbench MP without access to government documents, there was nothing sensitive to access. Dorries (and hopefully all other MPs sharing their passwords) are in for a rude awakening, however, as not only is sharing passwords against the rules of parliament in the UK, but even information as basic as an address book constitutes Personally Identifiable Information (PII) which is subject to strong protection under existing data protection laws – and will be protected even more fiercely under the upcoming GDPR, even in the UK.
Password sharing may be standard practice among MPs, but it is far from best practice. Mailbox delegation could achieve the same productivity with a fraction of the risk.
Unfortunately, password sharing and other bad practices are still common, even among organisations that frankly should know better. The MPs seemed to be of the opinion that just because it was normal, it was OK. This is just the tip of the iceberg of a culture of poor data protection and IT security practices. Password sharing is never a good idea, as not only does it breach government policy but drastically increases the possibility of a data breach occurring. In addition, this results not only in many more people having access to sensitive data – but no longer can actions taken with the data be accurately attributed to an individual user account since the password is shared.
“Sharing access to confidential systems should always be minimised, especially in government where security and audit trails are paramount”, according to Carl Gottlieb, data protection officer at Sky News. He continued, “MPs and the civil service have a track record of lax practices around sharing passwords and this needs to change. MPs, like many senior managers, have teams around them that act as a bubble of trust. Interns are trusted to handle their email and social media accounts on a daily basis. This usually works well until, eventually, the bubble bursts, and previously trusted personnel make mistakes or go rogue”.
So what’s the solution for people like Dorries who need staff to share the load of answering a shared mailbox? Well, mailbox delegation through email suites such as Office 365 is relatively easy to set up and far more secure. Incidentally, Dorries (and all members of the UK parliament) use Office 365, and even admitted to having some degree of delegation set up when this feature was pointed out to her. “I’m sure that’s what we use”, she tweeted, “as all staff have access to read my diary and one other has ability to amend and add”. So Dorries’ use of password sharing was not only dangerous, but entirely unnecessary as some mail delegation features were in fact already implemented, but not being used to full effect, it seems.
Needless to say, the information security community was quick to point out how reckless Dorries was being with her data, as it is by no means unusual for an employee to be sanctioned or even fired from their workplace if they shared such credentials with others. Dorries, and other MPs, appeared worryingly dismissive of the criticism, not understanding the issue, as password sharing amongst them has been common for quite some time. However, they need to understand that the online threats faced by organisations are far from what they were 10 or even 5 years ago, and security practices must also evolve in order to protect against them.
In fact, privileged user access control is one of the absolute most important measures for any organisation to take in the fight against cyber crime, along with the cyber security awareness training for staff themselves. If Dorries and other MPs or people in positions of power don’t take heed, they themselves may be exposed and become part of the next data breach headline.