Generic Accounts: Are They Worth the Risk?
Blog about Generic Accounts
As people in the modern business world, we always find ourselves weighing the risks and rewards of cybersecurity efforts. Let’s face it: better security for our data networks is a good thing, but it often comes with some degree of inconvenience. Your Infinity support team works hard every day to provide the best security while trying to minimize the inconvenience associated with those improvements in security. There are far too many aspects to cover cybersecurity in one short post. Today, I will focus on what I call “generic accounts.”
What is a Generic Account?
Let’s start by defining the “generic account.” It is any user account not tied to a specific employee by name, an account that is not enabled and disabled at the beginning and end of a specific user’s employment. Depending upon your industry, it might have a name such as accounting, dispatch, nurse, human resources, front desk, reception, or customer service; you get the idea. Typically, these accounts will fall into two categories:
- It is shared by multiple users who have the same role in the business.
Or - It is a role with a high turnover rate, perhaps even filled by temporary employees.
Why do we Create Generic Accounts?
The perception is that it is easier to create one account and always use that account in both situations above. But let’s consider the security risks involved.
What are the Security Risks of Generic Accounts?
Any time a business account is not tied directly to one specific person, security risks can arise. Who’s managing it, who is keeping track of changes? Following are 3 potentially very serious security risks.
- In both types of generic accounts above, there is a tendency to not have passwords changed. When multiple people have access to something, typically no one takes ownership. Everyone thinks someone else will take care of it.
- Also, when those passwords are changed, it may be difficult to get the new login information to everyone who needs it, and that causes delays in workflow. Plus, the distribution of the new password will often be less than secure, for example, written on a post-it note under the keyboard. See more on passwords and productivity here.
- It also means a terminated employee may still have the ability to access your corporate network and data. That account may even have the ability to access it remotely. Even in the absence of any malicious intent on the part of a former employee, there is the possibility of any shared login credentials getting leaked out the door of your business. No one wants that to happen!
How Can We Balance Security and Convenience?
So, what do we do to juggle the security with the convenience when it comes to these generic accounts? I think this is an issue of perception that we often miss:
We think it is easier to have multiple people using 1 shared, generic account.
But we are not dealing with a home computer where files are stored right there on the hard drive of that specific machine in that specific user profile. In an enterprise-level environment, those files are most often stored on a server or duplicated to a cloud-based resource like Microsoft 365. And that means any user can be given permissions to access files, mailboxes, and other resources. When we consider those facts, what now is the perceived benefit of these generic accounts?
Most often, I find that a generic account would be better served with other available tools that will provide the specific user with the same resources needed while not compromising security. Those tools might be a shared mailbox, an email distribution list, or shared files on the server or in Sharepoint. Any access needed can be provided to specific users through a security group.
So before we create another generic account, let’s have a conversation about your needs and determine if the generic account is really the best solution. At the same time, let’s look to minimize those that already exist. If we find that a generic account is truly needed, we have options to better secure it, such as limiting that account to specific workstations or blocking it from remote access. What’s most important is that we all know the risks and choose the best options for your situation. Contact us to get answers and alternatives today.