It is critical that all companies, regardless of which service sector, ensure access to IT systems, both through desktops and laptops, is controlled through individual user accounts (often referred to as ‘user ID’) and each user account is protected by a strong password. There is a risk that passwords can be easily guessed, and studies have shown people often use the names of relatives, pets, their favourite football team and sometimes even the word ‘password’ to access their systems. In addition, password cracking software is now widely available.
While many companies have standardised password policies in place, smaller entities are often subjected to poor or negligent practices. At the same time, several companies had policies in place recommending certain standards, but had no controls in place to ensure these standards were met.
It is therefore essential that companies have individual user accounts in place so they can monitor users’ activities to detect breaches of policies and procedures that could lead to data loss. Very often, several companies did not have individual user accounts in place and allowed all users to access their systems with the same password. This exposes firms to a significant risk of systems misuse, including data loss. For example, if a corrupt employee was systematically extracting customer data from a database using a generic password, the lack of an auditable, individual user account would make it difficult for the company to find out – or prove – who was responsible or lead to user accounts being compromised.