Felix Blog - Procurement Industry News & Insights

Using shared accounts to access Felix is a major security risk

Written by Kristy Dale | Sep 19, 2024 2:39:22 AM

 

Using shared accounts to access technology platforms that support your business, such as Felix, poses a significant security risk. While it may seem convenient to use a single login for multiple users, this practice can lead to major vulnerabilities.  

This article explores the dangers of shared accounts and how to ensure secure access to Felix. 

What is a shared account? 

A shared account uses the same username and password for multiple users. In many cases, a generic or shared email address is used (e.g.: admin@yourcompany.com) to log into Software-as-a-Service (Saas) solutions such as Felix. In these cases, users don’t have their own individual login credentials as they share the same information with others to access online tools. 

What are the risks of using a shared account to log into Felix? 

Although it may be tempting to share log-in credentials among colleagues, this introduces a variety of security risks and hacker-related breaches, whether you’re an enterprise customer or a vendor. 

Here are some of the dangers of using shared accounts:  

  • Increased risk of account compromise: Compromised credentials is a common entry point to hack your systems and data. Shared accounts are significantly more accessible for cybercriminals to obtain, accessing sensitive customer and financial information, potentially causing significant harm to your business. If you’re a Felix vendor, imagine if potential hackers obtained a shared credential to login and update your payment information to their own bank account – think of the financial implications!
  • Storage vulnerabilities: Shared credentials are often stored within Sharepoint, Google Drive, or even a Post-It note on a noticeboard – in places that multiple users can access. This increases the risk of this information getting into the hands of unauthorised users, including cybercriminals.  And for a hacker, the beauty of shared accounts is that it makes it difficult to track malicious activity – bringing me to my next point.    

  •  Difficult to investigate malicious activity: Using a shared account makes it difficult to link specific actions to employees and even harder to track cybercriminals. Shared accounts make it hard to monitor unusual access activity such as simultaneous logins or multiple logins from different devices or browsers. 

  •  Lack of transparency and accountability: One of the benefits of Felix is its traceable audit trail of activity. However, if multiple people are using the same account, it becomes impossible to determine who made which changes. This could include unapproved updates, mistakes, or in more serious cases, malicious activity by a hacker.

  • Security vulnerabilities: Shared accounts lack robust security measures. For example, setting up Multi-Factor Authentication (MFA) for Felix becomes problematic with shared accounts, as the set up requires a unique access point, such as a mobile device, to receive an authentication code. MFA is a powerful security method for protection against cybercriminals - while a hacker may have stolen one proof of identity, such as access to your email platform, they still need to obtain and use other proofs of identity to access your account.

  • Employee turnover risk: Shared accounts can become security risks when employees leave the organisation. If passwords aren't changed, former employees retain access to Felix and its confidential information. The more people with access to a shared account, the higher the compromise risk. 

  • Compliance violations: Many organisations have compliance and security standards to comply to, such as ISO27001. If your organisation or your customers are subject to such data protection regulations, using shared accounts to access SaaS solutions such as Felix is a violation of those requirements.  

Is cybercrime really a risk to all businesses in Australia?  

While Optus and Medibank were two high-profile breaches in 2022, and more recently Ticketek and Ticketmaster, you might be thinking that cybercriminals only set out to target large organisations. However this isn’t the case - the Australian Signals Directorate (ASD) Cyber Threat Report 2022-2023 state that over 92.6% of cybercrime incidents were from small businesses with annual turnovers below $2 million. No matter the size of your business, you need to remain vigilant.  

The numbers from the ASD report paint a stark picture: 

  • In the 2022-2023 financial year, the ASD received nearly 94,000 cybercrime reports, an increase of 23% from the previous financial year. 
  • On average, a cybercrime is reported every 6 minutes in Australia. 
  • The average self-reported cost of cybercrime to business had also increased by 14% each year for two consecutive years. 
  • Criminals usually prefer easier targets as they are more likely to find information security lapses within smaller non-IT savvy businesses.  

How you can exercise good cybersecurity hygiene when accessing Felix 

While Felix prioritises security and compliance, a large part of account security remains in your hands as a user.  

Here’s how you can make your account security a priority: 

  • Use individual accounts to access Felix: Ensure all users have their own individual login. If you're a Felix enterprise user, please contact your Felix administrator to add your individual login. For our vendors, please refer to our guide How to add a new vendor user 
  • Vendors can enable Multi-Factor Authentication (MFA): MFA is a great tool for vendors to add an extra layer of defence against their Felix account, which strengthens the security of the entire supply chain.  Learn how do this in our Help article How to Enable MFA. 

  • Chose a strong and unique password: Never use the same password across multiple sites, and you might want to consider a passphrase.