Posted on September 15, 2022 in Technology

Don’t Make Shared Email Accounts

A shared email box has plenty of utility, but it has to be set up right to reach its full potential. A shared mailbox should allow all it’s members to see the content, and can usually be set up so that members can send emails under the mailbox’s address. Essentially, the box is just a box that they have permission to access. Microsoft Outlook allows you to add your users to specific shared mailboxes, but only you, the admin, can decide who gets to see it, who gets to be part, who has the ability to send as the box, where forwards go automatically, if that’s even desired etc. etc. And they don’t have to have a Microsoft license to function!

A shared account, on the other hand, is an easy path to disaster! A shared box shouldn’t be a fully-fledged account that your users can log into using a password and username that you gave them, generally speaking. If your box is set up so that users are in the account instead of in the box only, they have way too many permissions!

For example – a user decides they want full control of the shared email account and simply logs in, changes the password, and doesn’t share it. Now what? You can do a lot of things to the user, up to and including firing them, but that might not be enough to get the email account back, especially if they left on bad terms. Or, an employee mistakenly believes that everyone in the company is meant to have access to a shared account, and gives the login credentials to an unauthorized employee when they ask. Or, an employee writes down the shared credentials somewhere, loses that, and then the company’s support or information mailbox is hacked and totally out of their control. If the account is set up as part of a security group, everything in that group is then put in jeopardy, because accounts can access shared drives. Accounts also take a license to keep functional, so that’s an added expense over a simple shared email box. The issues go on and on!

While some of this can be mitigated with steps such as two-factor authentication, the vast majority of it can only be stopped by making a box that has layers of separation between the account controlling it and the accounts allowed to use it. Microsoft’s system allows users to be added to a shared mailbox without giving them total control over it – that’s the ideal, as user permissions can be revoked without having to go through the song and dance of giving the login info back out to everyone still authorized to use it. As shared mailboxes can’t be signed in to, they’re also much less likely to be ‘hacked’ via a stolen password (although someone could still access it via someone else’s account).

Group Accounts – Social Media

On the other hand, there are social media accounts for the company. Almost no website allows multiple people to run an account with separation from said account the same way that Microsoft does – LinkedIn is a rare exception, and Facebook pages allow people to post to them, but the page can’t post to itself – the company account has to post to it. In cases like that, a shared account is still not ideal, but it becomes easier to manage if only a handful of people have the password, and only one person has the 2FA number. In a pinch, that makes it slightly easier to reclaim the account if the person in control decides to go rogue, but even then, some sites will allow you to change the 2FA number without verifying it to the current 2FA contact first, thus making all of the issues above also issues here. That makes it extraordinarily difficult to truly, properly, bombproof a social media account! Limiting the total number of people who have access to it as well as monitoring when it’s being used is the best solution. Instead of a group shared account, make it a two-person account – or less!

Alternatively, websites like Buffer and Hootsuite can provide some barriers, but for a fee. They may not stop an employee going rogue, but they can at least identify when and which one was responsible if something happens to the company Instagram.