Over the weekend a couple of tweets by a UK Member of Parliament (MP) have generated a wave of outrage and comment amongst the security community. Nadine Dorries mentioned that she routinely shares her password with her staff and often has to ask them what it is. (Incidentally, Nadine should make sure all her other accounts don’t use the same password eg her online banking and shopping accounts.) The big question appears to be “is this a big deal”? I think it is, and here’s why.
Earlier this year there was a cyber security attack on MPs by an unknown government – variously reported as Russia or Iran – and a number of MPs fell for phishing attempts. You have to ask now whether it was the MP or a member of their staff: either way it shows that more awareness and better controls are needed.
In the last couple of weeks an MP was accused of viewing pornography on his work PC, a charge which he has denied despite the investigating police officer presenting comments which might indicate it was likely. Nadine Dorries’ comments were (I’m sure) meant to illustrate that just because the MPs credentials had been used to log on to the computer it didn’t necessarily mean that he had accessed the material. And this is the main point, why it’s important for individuals to take ownership of and responsibility for their log on credentials (their user name and password), why they should keep the password secret.
In the staff handbook at Parliament, section 5.8 states clearly that “you must not… share your password”. One of the reasons why we’re advised (told) not to share passwords is to protect us. If any wrongdoing is discovered or suspected using our user name, we are responsible. If someone else has had access to your machine using your details – you are still responsible.
If you have colleagues who you think should have access to your email, give them delegated access, which means they can access it using their own credentials. If they need to access documents etc, put them on a shared network drive where again they use their own credentials. This protects both parties and is more in line with industry best practice.
I’m hoping that the events of the weekend will encourage MPs and their staff to improve their working practice, but I’m not sure it’ll happen because there doesn’t seem to be anyone holding them to account, taking them to task for these flagrant breaches of policy. I’m also hoping that those in charge of systems in Parliament (who I know are very capable and knowledgeable) will get the backing they need to bring working practices more in line with the rest of industry. Finally, I’m also hoping that all passwords will be reset over the next day or two.