Are shared user accounts a good idea?

This week we had a client who was bringing onboard 2 new staff.

Congratulations! we said.

It is always good to see our successful clients growing their businesses. Taking on more staff is one indicator that a business is growing.

Our staff onboarding service is very popular as we sort out all the setup for the new staff. Computers, email accounts, access to systems and more. With this documented process, which is tailored for each client, we reduce the workload for our client, and remove the headache of remembering how to do it. It is also all done on time, every time. The other main benefit of this service is that we can reverse that process when a staff member leaves. This ensures all systems and data they had access to is revoked at the right time, and equipment is collected ready to be re-purposed.

However, in this instance, the 2 new full-time staff were replacing staff who were reducing their hours to just 1 day per week. The client is a good businessman and runs a tight ship when it comes to managing costs. He asked; “Can these part-time staff now share an account, and can we downgrade it to a lesser subscription?” He didn’t want the cost of a Microsoft 365 Business Premium subscription for these 2 staff. This is understandable, and you can see the logic. Let’s discuss why this may be a good idea, and why also it may be a bad idea.

Benefits of shared user accounts

1. The first perceived benefit is a cost-saving. 2 staff sharing a single subscription is an obvious 50% saving. Downgrading the subscription from a M365 Business Premium to a Business Standard will also save money monthly.
2. They don’t need personal email accounts; a shared email account is fine. This is the option our client was thinking.
3. Less accounts are easier to manage. This initially sounds logical. One logon, one password. Easy-peasy.

OK, let’s look at why these benefits are in fact a risk and a liability…

Negatives of shared user accounts

1. Security – Shared user accounts introduce a HUGE security risk. Here’s a few reasons why:
   • Shared passwords - What if one of the 2 or more part-time staff leaves? As the password is shared with multiple people, this means it should be changed to ensure that the data accessible with that account is kept safe. The more people who use the shared account, the bigger the pain from changing the password. The reality is that it probably won’t be changed. What if the leaver was going to your competition, or left under a cloud? That leaves you vulnerable.
   • Two-Factor Authentication (2FA)/Multi-Factor Authentication becomes almost impossible to implement - 2FA or MFA is a MUST! 2FA secures accounts with a one-time code or push notification. When a user logs on with a correct password, a code or push is sent to the user for a 2nd factor verification. Without 2FA/MFA, it is dead easy for a hacker to access an account. See our blog article ‘Protecting your business against phishing’ which covers how hackers use phishing to gain access to your systems. It happens… all the time. With shared user accounts, 2FA/MFA is almost impossible to implement unless you spend more on a password manager with 2FA support, or a third-party identity management solution.
   • Access control - What if the 2 people sharing the account need access to different sets of data. Perhaps one assists in HR, and the other in Marketing. Do you really want the marketing assistant to have access to HR data? With shared user accounts, it is not possible to control access to data. Access is either all or nothing. Neither of these would be the better option.
   • Audit trail - With shared user accounts, it’s impossible to see who logged onto the computer at a certain time, who modified that file, who sent that email and so on. If you have to deal with a customer complaint, or a security incident, it is so much harder to get the necessary detail from logs. And again, if an employee had to be dismissed, what’s to stop them sending nasty emails about you, your business or your clients?
2. Compliance – If you have to comply with one or more standards such as Cyber Essentials, ISO27001, HIPAA, FISMA etc. shared user accounts will fail you for the reasons shown above.
3. Personalisation / Features - Individual accounts benefit from many usability features. When staff share an account, the different features become a point of disagreement. Default save locations, background images of the dog, browser bookmarks and history… The list goes on. Staff will soon get tired of the tug-of-war of resetting settings back to their own way of working.
4. License / Subscription terms - You may be in breach of the vendors license or subscription terms and conditions by allowing multiple end users to share services or software that is supplied on a per-user basis.

It is clear, in most instances, shared user accounts are not a good idea. It may be that you are prepared to accept some of these risks, but unfortunately, you get all of these risks when you choose to use shared user accounts.

Let’s look at the cost-saving benefit. Is it really money saved? 🤔When you consider the possible cost of a cyber security incident (these can cost 10’s or 100’s thousands of pounds or dollars), or the wasted time of staff trying to change personal settings to suit, or the constant changing of access control. Look at the monthly physical saving and see what you really save:

Microsoft 365 Business Premium - £16.60 per user (MSRP as of June 2022). This is £3.83 per week.

Let’s say you have a part-time person working one-day per week and earning the UK’s governments recommended living wage (currently £9.50 p/h or approx. £76 per day, or per week if they are working just one day). Does £3.83 really make that person unaffordable? Does it make up for the risks we have highlighted above?

Summary - Are shared user accounts a good idea?

We have looked at the pro's and con's of shared accounts. In short, shared user accounts are almost always a bad idea. There are other ways to reduce costs for part-time staff, including possibly lesser subscriptions and guest access. Just be mindful of the license or subscription terms, or the ongoing management of external guest access to your data.

If you would like advice, or would like to hear our recommendations bespoke to your business, click here to book a free online chat, or call us on 01732 243100.