TitanHQ Blog

Email Security|Should your boss know your network or email passwords?

Posted by Geraldine Hunt on Wed, May 21st, 2014

Imagine the scenario: A sales manager rings the IT department requesting access to a team member’s PC so they can check the Outlook Inbox. The IT department sets up a shared mailbox – but to configure it they need access to the team member’s computer. They reset the PC’s password to a temporary one, log into the PC and configure Outlook. The manager is then informed that the user will need to reset the password when they return to work.

What’s the issue? The manager keeps a log of all employee PC passwords, so they can access the computer to check emails when the employee is on holiday etc., and to setup Out Of Office messages if the user has forgotten. The manager wants the temporary PC password, so they can login, change the password to a permanent one, and update the password log.

The IT department, quite correctly, refuses to give out the password  - explaining that the company is moving away from logs that record the password, and that the password policy is that passwords should only be known to the user and no-one else.

The manager is unhappy – they do not want a repeat of this situation, where they do not have the password, and need to ring the IT department to access an employee’s computer or inbox.

How do you address the manager’s concerns regarding email and Out of Office auto-responders without letting password-sharing occur?

The obvious way is to use shared mailboxes, as mentioned above, so that the manager always has access to the team members emails. However, this involves training the whole team to manage the mailboxes, and some managers can be resistant to learning more technical tasks. They want convenience, and logging in to the team members account is simpler and more convenient. They may also not want their own Outlook instance crowded with shared mailboxes.

How do you allow a manager to check team member’s email, and/or configure Out-Of-Office settings for multiple employees, without password-sharing and having to always keep the team’s mailboxes open in the manager’s Outlook?

Share mailbox or delegate premissions

Rather than sharing the mailbox, you can setup delegate permissions. This is actually more complicated than sharing a mailbox, and would need the Exchange Administrator to setup Delegate Access. Delegate Access, unlike sharing, allows you to send emails on behalf of the other person, and to accept meeting requests. Every time you want to check the mailbox, you need to open it, but unlike shared folders, the mailboxes do not remain open in Outlook. However, the manager can still not set up Out of Office responses.

Domain Manager

To setup Out of Office for a team member who has forgotten to do so, when attending training, on holiday, or is off sick, requires intervention from the Administrator working as Domain Admin.  The manager would have to submit a helpdesk ticket in order to request the Out of Office response be turned on for the team member.

There is no simple way to give access to an employee’s Inbox and Out of Office responses, without the IT department’s involvement. The danger is that managers will continue to log team member’s passwords, and that brings up numerous security issues.

Email Security Issues

One of the reasons keeping passwords private is to maintain the acceptable use of email. If a manager has full access to a mailbox, by logging on as a team member, it damages the integrity of checking for unacceptable emails. There is no longer anyway to verify if an email has been sent by the team member or the manager. In extreme situations, a manager could send malicious emails, and then use the emails as grounds for dismissal.

A further issue is that if the manager has access to email, they also need access to the PC. This again damages acceptable use; the manager could be using the PC to surf the Internet, and access unacceptable Internet sites – Porn, Gaming or Gambling site or using Social Media. They could also use the Internet outside of proscribed times for personal use. The employee would not have to be on holiday for the manager to perform such abuse, as the manager would have permanent access to the employee’s computer.

Legally it would also complicated matters, as it would be impossible to prove the team member has been using email and the Internet for unauthorised purposes, as the integrity of the audit trail has been compromised.

Privacy is also a concern. Employees receive emails from HR, about medical issues, or benefits that are private. The manager would be able to read this emails, breaching the team member’s right to privacy on delicate matters.

If password sharing is part of the corporate culture, it also poses risks to confidential information. Managers may share passwords between each other. This enables unscrupulous employees to access confidential company information that they do not have permission to access. This is particularly a risk for financial companies or government agencies. Information can then be syphoned from the company and used for fraudulent purposes.

When a manger wishes to access a user’s account via password sharing, the risks surrounding access to a team member’s PC should be explained to them. Personal, private passwords are best practice in IT – and maintaining the integrity of the audit trail outweighs the inconvenience of not having an Out of Office message.

Acceptable Usage Policy protects the company, employees and network.

If the company has an Acceptable Use or Corporate Policy that bans the sharing of passwords, employees that share them would be in violation of this policy. Both the manager and the team member would be subject to the penalties for violating the policy. If a company does not have an Acceptable Use Policy one should be introduced ASAP – including banning password sharing. An Acceptable Use Policy protects the company, employees and network security.

Setting up Out of Office messages is actually a training issue rather than an IT issues. It is up to the manager to ensure Out of Offices are setup. A simple way to achieve this would be to remind the team members to set up the automated response before they leave on holiday or for training. All employees should also be trained in using shared Inboxes, including adding and removing them, so the manager does not have to keep the whole teams mailboxes open unnecessarily.

Network Security pointers to consider: 

  1. Employees having private passwords are a cornerstone of network and IT security.
  2. Sharing passwords compromises the audit trail for acceptable use.
  3. There are methods that can be used to access a user’s Inbox – managers should use these methods, even if they are more complicated than logging into a user’s PC. Once access to an Inbox is granted they can be managed by the team.
  4. Out of Office responders are less important than security. A manager may argue with this, but access to another person’s PC could open the company to all manner of liability issues. In extreme cases, a company could be sued if an employee’s privacy is compromised.
  5. A company needs an Acceptable Usage Policy that covers sharing of passwords, outlines the risk, and details the penalties if the policy is violated.
  6. Training should be used to support the use of Shared Mailboxes and Delegate Accounts. After setup, they require minimal intervention from either IT or the users. These methods should be detailed in the Acceptable Use Policy, so all employees are clear on how to gain access to another’s email. 

Banning of password-sharing and the use of alternative methods to access an employee’s Outlook needs senior management support. Senior managers need to be aware of the issues, and committed to maintaining network security. Without this support, managers will continue to keep password logs, opening the company to all manner of security risks. 

Is your network password known to many of your colleagues?

Never Miss a Blog Post

Sign-up for email updates...

Get Your 30 Day FREE Trial

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us