3 reasons why Nadine Dorries is totally wrong about password sharing

Frustration abounds as MPs expose their backwards security practises

Shh - what's that? If you listen very, very carefully, you'll hear it; it's the sound of countless security experts smashing their heads against their keyboards in frustration. The cause, as so often before, is the government's laughable attitude to data privacy and cyber security.

Where to begin with this latest shambles? You may recall that First Secretary of State Damian Green was allegedly found to have rude and naughty pictures of the pornographic variety on his government-issued computer, which Green denies.

Nadine Dorries, Conservative MP for Mid Beds, leapt to Green's defence over the weekend, pointing out that if porn was found on Green's computer, it may not have been him who was downloading and/or viewing it on taxpayer time. After all, she said, her staff use her login to access her official computer all the time. Even interns on exchange programmes!

Er, sorry... What?

Yes folks, you read that correctly - Dorries is so free and easy with her access credentials that she even hands them out to visiting exchange students. To make matters worse, several of her fellow MPs admitted they also share their login details with staff, including Nick Boles, Will Quince and Robert Syms.

Of course, Dorries was quick to downplay the seriousness of her actions, stating that all she has on her computer is a shared email account, with no access to government documents. Boles, similarly, said that only the four people he employs to deal with correspondence from constituents have access to the passwords, which are regularly changed.

For the avoidance of doubt, let's be crystal clear: this is a dangerous, insecure and irresponsible practice. Under no circumstances should anyone be sharing one login between multiple staff members. There are numerous ways to ensure staff members can access a shared computer, mailbox or file storage system without having one login that simply gets passed around, and the fact that government MPs are apparently not using any of them is extremely alarming.

Dorries and co claim that sharing their login with staff isn't an issue, but let's take the time to unpick some of the many, many problems with these arguments.

Firstly, there's the issue of lateral movement. Dorries says that the only thing on the computer is a shared email account. Even if that's true, the computer itself is 'Westminster-based', and is likely to be connected to some kind of internal network. This opens up the possibility for lateral movement, using Dorries' machine as a way to gain access to a more important target within the network.

Then there's the issue of data protection. The shared mailbox used by the staff of Dorries and Boles presumably contains at least a partial list of constituents' names and email addresses, along with who knows what additional information shared as part of their correspondence. Behaviour like this puts all of that information at risk.

Last but not least, accountability is the biggest problem with using a shared login - and one that is best illustrated, ironically, by the very issue that prompted Dorries' admission in the first place. She is quite right in stating that if Green's access credentials were shared by his staff, there's no way of proving that it was him that was allegedly looking at porn, but that's a huge problem.

Let's imagine that, instead of perusing some nudes, the First Secretary of State was instead accused of using his computer to leak classified intelligence data to Russian agents. With a single shared login, it's virtually impossible to trace the source of the leak back to the mole. If everyone has their own credentials, it's instantly obvious.

The concept of not sharing your username and password with anyone is a basic, fundamental tenet of cyber security best practice, and the tools to ensure that you shouldn't need to share your credentials have existed for years. Considering that the Tories are supposed to be the party of business, its own staff seem to be trailing laughably far behind the curve when it comes to keeping up with industry security standards - which would be funny if it wasn't so alarming.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021