Office Manager w/ access to ALL Users Passwords - Help me change it!

[KeeKat]

Hi guys!

I've recently started working at a small nonprofit after years in corporate environments (regional bank and a health insurer). The nonprofit has VERY lax security when it comes to IT. The (very nosey) Office Manager has access to everyone's login and password for their computers and will openly log in as other people. She handles the relationship with our tech company, so for example if you forget to keep your laptop on for maintenance, instead of waiting until the next day she'll log in as you and allow them access to the computer. (This is a pretty valid excuse to do it, but because of her gossipy nature I'm VERY uncomfortable with her knowing how to log in as me). I run our social media profiles, so if she wanted to, she could post on our Facebook/Twitter pages anything she wants while logged in to my computer and I could lose my job. I had just gone through a IT/Security audit at the insurance company before I left so this jumps out to me as a huge red flag.

I'm told this is a holdover from the days before they had a network or an tech company, so it was a safety precaution against the whole 'if you get hit by a bus tomorrow' worry. Passwords never expire. I'm the first new employee (other than the President) in about 5 years. While my position is in Marketing, I have already proven to the President that I'm very tech savvy, so I do think there's a chance they'll listen.

Are there any tech security folks out there that can arm me with some facts about why this is such an awful setup (links/articles would be fantastic)? To be clear, the tech company does have access to anyone's computer now through software, so there's no need for the manager to have it. How can I get our President to understand how dangerous this is? They understand I'm very tech savvy and do tend to be open to listening, but this will be a fight against years of the same old.

TIA!

[teen persuasion]

  I run our social media profiles, so if she wanted to, she could post on our Facebook/Twitter pages anything she wants while logged in to my computer and I could lose my job. 

Not enough of an expert to advise on the rest, but at the least don't leave Facebook/Twitter logged in on your laptop (or save passwords) when you are not there.  I manage my employer's website, and I always log out of WP (as well as email/calendar/spreadsheets) before leaving for the day (on a common computer used by multiple staff in different shifts).  My director has a separate log in, so changes are documented as to who made them and when.

[Noodle]

Welcome to the joys of small non-profits! (Actually, they can be very rewarding. But they are a culture all their own, as you are discovering.)

Non-profits of all sizes are infamous for not fixing things until they are broken, often badly, because resources are always in high demand--time being as much a resource as money. They rely on personal relationships to streamline projects and processes, which works until it doesn't--the field's ongoing and serious problem with embezzlement being one result.

Since your director is relatively new and you have some technology cred, you might be successful with some facts and anecdotes (which I suggest presenting as "best practices" rather than any commentary on anything going on at your actual office--try your field's professional organization for suggestions.) You should be prepared for the fact that you might not be, especially if the office manager pushes back.

That doesn't mean there is nothing you can do! You can manage your own computer in a more secure manner...don't let your browser save passwords, change the passwords of the accounts you control (the social media) regularly, log into the social media accounts only when working on them, insist on changing your password quarterly, and regularly encourage your co-workers to change  theirs too. If anyone asks you why, just smile and say that it's considered current best practices.

You can also break the problem into chunks. For instance, talk to your director about shifting over to expiring passwords and leave the office manager's access out of it for now. If everyone is changing passwords on a frequent basis, the office manager may not be as motivated to keep up with it all.

I also encourage anyone working in the non-profit field (or any field, really) to read the book Switch by Chip and Dan Heath. The topic of the book is getting people to change behavior when you don't have authority over them--I learned a lot that I use often!

[KeeKat]

Thank you both for your thoughts! I'm realizing I'm definitely going to have to up my own security (for our social media) for the meantime until a greater solution can (hopefully!) be put in place.

I appreciate the taking it one step at a time philosophy. Sometimes I'm so shocked by the culture difference that I can't break up the steps in my head. You've given me a great way to do that!

The book sounds like an excellent read - I downloaded it from the library and I'm going to start reading!

[Zamboni]

I also suggest that you make 2 usernames for your PC: one that you actually use, and one that you share with the office manager that allows a simple login but is basically a decoy with no admin privileges that doesn't allow access to your files. It might get you into hot water, but you can claim ignorance later.

[cats]

You can also break the problem into chunks. For instance, talk to your director about shifting over to expiring passwords and leave the office manager's access out of it for now. If everyone is changing passwords on a frequent basis, the office manager may not be as motivated to keep up with it all.

This sounds like a great way of dealing with it, to me.  It shifts the onus onto the office manager to prove that she still has a legitimate need for the passwords, rather than you having to prove it's a bad idea.  If the office manager does persist in wanting all passwords, I think a compelling case against it is that if her computer is compromised (I assume the passwords are stored somewhere on her computer, or have been used on her computer at some point if she is remotely logging into other people's computers?), then your whole office is potentially compromised.  Or if she's really just keeping a paper list of all passwords--again, someone could just come in and pick them all up and have access to your whole office.  I would try to make it more about how there is a threat to ALL of you from outside, and be very clear that you are NOT suggesting that the office manager might be about to go rogue on other employees within the organization.

[Noodle]

Another tactic that I have found to be helpful is to propose a temporary change--for instance, that you will try X for six months and then re-evaluate. People tend to overestimate the downside of a change, and the biggest cognitive load is in the early stages of making a change. So if you can get past the "painful adoption" stage, often people will have gotten past it in a few months and not care that much any more--or at least you can reason based on facts and experience, and not everyone's fears of change.

[MightyAl]

Change your password and don't tell the office manager.  It is your ass on the line.

[mustachepungoeshere]

I'd email Alison at Ask a Manager.

http://www.askamanager.org/

She's great at providing scripts for this sort of thing.

[Travis]

Change your password and don't tell the office manager.  It is your ass on the line.

Is it in writing in the non-profit's rules/laws/procedures that the office manager needs access to everyone's accounts? If it isn't and she insists on keeping it that way, then she might want to get it in writing.  You can spell out "liability" for her if she scoffs at the idea.  Or whoever she reports to. What kind of work does your non-profit do?  If it involves personal, medical, or financial information, then your insurance company and the owners of that information could start a riot.  It also means your non-profit wouldn't have a leg to stand on if your business or any of its employees ended up in court for anything IT-related (theft of information, criminal activity conducted through the computer, online harassment, etc).  It's literally criminally stupid to not have user accounts locked down to the users and only your IT support company having administrative access.

Until this is corrected, do not save anything on that computer you wouldn't want the world to know about from files with confidential information to your internet browsing history.

[ketchup]

Does your office need to comply with... anything?  You could use that as leverage.  This is failing basic IT security 101.

[trollwithamustache]

Is this set up insecure? sure.

But, remember, your work computer belongs to the non profit, not you. They can do anything they want with it.  Yeah your boss can read your email or look at your internet history if they want.  So can the IT guy.  So apparently can your office manager.

Don't be surprised if some senior people like being able to call her and have her log into their computer and print some document or do something for them. 

Again, its insecure ect, but it is what the owner of the systems want.

[KeeKat]

Thanks again for the replies!

- There are no written rules that mention anything about IT Security. They had a FINANCIAL audit a few years ago that they passed, but they don't understand that an financial audit wouldn't look at IT risks. They bring up passing that audit when I shared my concerns earlier in my tenure here.

I'm definitely going to also go the Ask a Manager route. It's such an obvious subject to me that it's mind-boggling to explain why it's important. It's like asking why I tie my shoes - so I don't trip!

I have found a way to lock my Google Chrome browser when I'm not there, which was my biggest concern (what I use for social media).

Thank you all!

[Just Joe]

KeeKat - another approach would be to use Portable Apps. (free)

Basically it installs a menu function to your thumb drive/memory stick and then there are a ton of programs like Firefox, Chrome, Libreoffice, email programs, password manager, etc that can be installed to your thumb drive in just a few clicks.

Nothing gets installed on any computer.

No bread crumb trail for anyone to prowl through when you are gone and the thumb drive is in your pocket. You can save passwords in the portable browsers, create your own bookmark lists, store YOUR documents/pictures/media on YOUR thumb drive. All you are using the organization's computer for is a screen, keyboard and network connection.

If you should change computers, your info goes with you on your thumb drive. Plug it in and everything is right there ready to use again.

This is how my DW uses her computer at work. There are no restrictions on her using her work computer or the web but she feels better not leaving a bread crumb trail of where she goes on the web, or personal emails, or passwords on her employer's computer. Basically she does work on the computer, does personal items via the software the thumb drive. Her coworkers seem to intermingle everything on their computers.

https://en.wikipedia.org/wiki/PortableApps.com

[NoStacheOhio]

Most social media sites offer two-factor authentication, which I would absolutely use in this situation. You may also be able to get login notifications.

Keep the backup codes somewhere safe. Probably tell the President where they are, but that they are not to be shared, and are for emergency use only.

[ketchup]

KeeKat - another approach would be to use Portable Apps. (free)

Basically it installs a menu function to your thumb drive/memory stick and then there are a ton of programs like Firefox, Chrome, Libreoffice, email programs, password manager, etc that can be installed to your thumb drive in just a few clicks.

Nothing gets installed on any computer.

No bread crumb trail for anyone to prowl through when you are gone and the thumb drive is in your pocket. You can save passwords in the portable browsers, create your own bookmark lists, store YOUR documents/pictures/media on YOUR thumb drive. All you are using the organization's computer for is a screen, keyboard and network connection.

If you should change computers, your info goes with you on your thumb drive. Plug it in and everything is right there ready to use again.

This is how my DW uses her computer at work. There are no restrictions on her using her work computer or the web but she feels better not leaving a bread crumb trail of where she goes on the web, or personal emails, or passwords on her employer's computer. Basically she does work on the computer, does personal items via the software the thumb drive. Her coworkers seem to intermingle everything on their computers.

https://en.wikipedia.org/wiki/PortableApps.com

You absolutely do leave breadcrumbs on the network, no matter what programs you're using or whether it's installed on the PC itself or not.  IT can see everything happening on their network.  We won't go looking for it unless there's a concern, but we know how much Pandora has been streaming to Bob In Accounting's PC, and we can tell that Jimmy-the-new-guy streams video games on Twitch all day, regardless of whether any of that is installed locally or on a flash drive.  We really, really, don't care unless it clogs up network traffic (that means you, Becky-who-streams-Netflix-all-day-on-her-iPhone-using-the-wifi) or management asks us to look.  You are keeping passwords and whatnot safe this way, but your web activity is anything but private.

[Travis]

Thanks again for the replies!

- There are no written rules that mention anything about IT Security. They had a FINANCIAL audit a few years ago that they passed, but they don't understand that an financial audit wouldn't look at IT risks. They bring up passing that audit when I shared my concerns earlier in my tenure here.

I'm definitely going to also go the Ask a Manager route. It's such an obvious subject to me that it's mind-boggling to explain why it's important. It's like asking why I tie my shoes - so I don't trip!

I have found a way to lock my Google Chrome browser when I'm not there, which was my biggest concern (what I use for social media).

Thank you all!

I'm going to guess that the financial audit was to make sure your business is complying with non-profit tax law and making sure money isn't just walking out the door.  Whether your financial data (or a client's) is stored on post-it notes, in a shoe box, or in a safe wasn't on their checklist. 

One of my friends runs a medical treatment non-profit that is up to its neck in confidential documents.  Her insurance company sent her a 5 page inspection sheet that dealt with just how she runs her IT infrastructure and data handling policies.  She hasn't mentioned on-site inspections, but I imagine it could be messy if there's ever a claim and the insurance company notices that the checklist doesn't match reality.

[JLee]

I would be using randomly generated passwords and a password manager (e.g. LastPass) with multifactor authentication (e.g. YubiKey) for everything possible.

Are users using local accounts or domain accounts?

[Just Joe]

KeeKat - another approach would be to use Portable Apps. (free)

Basically it installs a menu function to your thumb drive/memory stick and then there are a ton of programs like Firefox, Chrome, Libreoffice, email programs, password manager, etc that can be installed to your thumb drive in just a few clicks.

Nothing gets installed on any computer.

No bread crumb trail for anyone to prowl through when you are gone and the thumb drive is in your pocket. You can save passwords in the portable browsers, create your own bookmark lists, store YOUR documents/pictures/media on YOUR thumb drive. All you are using the organization's computer for is a screen, keyboard and network connection.

If you should change computers, your info goes with you on your thumb drive. Plug it in and everything is right there ready to use again.

This is how my DW uses her computer at work. There are no restrictions on her using her work computer or the web but she feels better not leaving a bread crumb trail of where she goes on the web, or personal emails, or passwords on her employer's computer. Basically she does work on the computer, does personal items via the software the thumb drive. Her coworkers seem to intermingle everything on their computers.

https://en.wikipedia.org/wiki/PortableApps.com

You absolutely do leave breadcrumbs on the network, no matter what programs you're using or whether it's installed on the PC itself or not.  IT can see everything happening on their network.  We won't go looking for it unless there's a concern, but we know how much Pandora has been streaming to Bob In Accounting's PC, and we can tell that Jimmy-the-new-guy streams video games on Twitch all day, regardless of whether any of that is installed locally or on a flash drive.  We really, really, don't care unless it clogs up network traffic (that means you, Becky-who-streams-Netflix-all-day-on-her-iPhone-using-the-wifi) or management asks us to look.  You are keeping passwords and whatnot safe this way, but your web activity is anything but private.

Yes, on the network there will be breadcrumbs. The average nosey user looking at the computer's browser history won't see anything b/c you didn't use the installed browser.

Actually the lack of a browser history ought to make some question why - but the kinds of users I deal with the most wouldn't get it.