If you’ve recently been employed in any kind of retail environment, you know that the use of passwords isn’t confined to white collar corporate desk jobs. Computer systems are used by all types of businesses and workers, which means passwords are a reality for all of us. Yet a unique aspect of the retail industry I’ve noticed is how prevalent it is for floor workers to share their user IDs or even have a shared login and password. Think about it. Have you ever seen a sticky note with some sort of “Password123” written on it in the corner of the point of sale (POS) register while you were checking out?
If you ask them, most employees don’t think sharing passwords is a big deal. Well, it is. Actually, it's a huge deal. Some organizations even compare sharing passwords to sharing a social security number for the digital workplace. Sharing passwords opens an organization up to significant security risks, making it extremely vulnerable to internal and external data breaches and system attacks.
A 2015 risk report by Bay Dynamics asked IT managers, CISOs, CIOs and other IT decision makers within 125 retail organizations about the cybersecurity risks employees, both temporary and permanent, pose to their organizations. The results were of no surprise.
- 62% of respondents said they know everything their permanent and temporary employees are doing on their corporate systems. However, 21% of permanent retail floor workers and 61% of temporary floor workers do not have unique login credentials for corporate systems.
- 37% of respondents said they cannot identify which systems their temporary employees have accessed.
- More than 25% of respondents said they don’t know if their temporary employees have ever accessed and/or sent data that was unauthorized.
- 47% of respondents said temporary workers are somewhat risky to their organization and more than a third view them as a high risk. The majority (66%) also view permanent workers as somewhat risky.
One of the major issues with password sharing is that it makes it nearly impossible to pinpoint exactly where an attack came from. This employee? That employee? Not even an employee at all, but someone who obtained or perhaps stole the password?
To prevent employees from sharing passwords, we first must think about why they’re doing it in the first place.
Employees might enjoy a shared password because it eliminates the personal responsibility of remembering a password. If they ever forget it or the sticky note disappears, they can ask a co-worker. The despised error message: “The combination of this username and password is incorrect. Please try again” can be avoided at all costs.
Or it could be that it’s shared in case of an emergency, to allow multiple people access to a shared team account, or to delegate work to others.
Another reason employees may gravitate toward sharing passwords, is that in a fast-paced service environment, passwords can become a productivity killer. If a floor salesperson needs to log into a system each time they use it, they could be logging in six or more times an hour. They’re at the mercy of customers, who may need their help away from the computer every five or ten minutes. Logging in every time they return to their computer or workstation can really slow them down. Because of this, employees will often use a computer that another employee is already logged into. If the password is shared then there really isn’t a reason to make sure each employee is logging in and out every time.
In other instances, the decision to share a password may not even be a decision made by employees. Instead, it could be due to a system put in place by IT.
IT may have no argument with this “one-for-all” approach, or even encourage it due to technology constraints they face. Maybe they face the relentless struggle of resetting user passwords because they don’t have a self-service password reset system. Or perhaps their system lacks automation features and they face a never-ending loop of manually onboarding new users and de-provisioning access for those that have left the company. In an industry like retail, with seasonal employees, there can be a high rate of turnover.
While in the short term, sharing one password throughout a store may be simpler and less time consuming for IT and employees, there are considerable security risks associated with it in the long run.
Fortunately there are technology options available that can ease all of the hassles listed above while also better securing the organization. Better yet, these also can remove the ability for employees to share passwords or user IDs. The best way to prevent employees from sharing passwords is to remove the ability altogether.
Alternative authentication methods - don’t use passwords at all! Use a biometric form of authentication, such as a fingerprint or retinal scan. Or use an identification card that employees can swipe to gain access. Better yet, combine the ID card and a fingerprint scan. While more steps are involved, this is still usually a quicker process than entering a username and password, and far more secure than sharing a password.
Embrace automation technology - IT staffs don’t need to struggle with the time consuming monotony of manual password resets and manual provisioning, de-provisioning and recertification. These processes can all be automated, making them much less of a burden.
An identity and access management (IAM) solution can offer all of the above benefits and put an end to shared passwords, while also improving productivity for employees and IT. To learn more about these benefits, visit this page.