This post is a continuation of “Cybersecurity: Don’t Wait, You Might Be Next!“, which outlines the new cybersecurity risks facing investigative agencies and provides ways they can insulate themselves from the loss or leakage of highly privileged information.

#3 – Protect User Credentials

Password requirements have gotten more complex over the years.  There’s a good reason for this: a complex password is harder to crack.  Requiring different password features across different products also makes it less likely that users will be able to share the same password across all of their accounts.

The downside of all those length and symbol requirements is that they make it impossible to remember all of your passwords.

The worst way to deal with this problem is to write passwords down and put it somewhere on a desk or monitor.  Obviously, anyone who enters the office can see it.  But those post-it notes sometimes make an appearance outside the office, too.  They can easily end up blowing around the parking lot when employees clear out their desk or office.

If employees keep a physical copy of their passwords, make sure they’re stored in a locked area.  They should be stored away while not in active use and never kept out on desks.

Also, make sure employees are careful where they store passwords digitally.  When it comes to password lists, password manager software is far safer than a Word document.  Any account holding a plain-text password list is a master key for all accounts listed in the document. 

Worse, that master key is accessed constantly. When users are in a time pinch, they may email the list to a less-than-secure personal email account to ensure they’ll have easy access later.

#4 – Prohibit Account Sharing

There are several reasons employees share an account login.  Sometimes it’s not worth buying a second license to a product that’s licensed on a per-account basis.  Sometimes it’s the easiest way to ensure that the whole team can quickly access a product when they need it.  Sometimes it’s just one less password to manage.

But when it comes to time, shared accounts are a shortcut that can quickly become the “scenic route.”  When a user account is compromised, that person’s other accounts should be disabled until someone can confirm that the breach was limited to the one account.  But when a compromised account is shared by an entire team, disabling accounts and tracking down the source of the breach can shut down an entire office and quickly become a major forensic project.

Shared accounts can also discourage a culture of security.  When employees become accustomed to sharing passwords for less sensitive platforms, some may do the same with platforms containing sensitive data. And when passwords are shared across a whole team, they’re rarely changed when one of the users leaves the agency.  As the number of former team members grows each year, so does the likelihood the shared password will be stolen.

Years may pass without incident, leading to further security atrophy.  By the time an account is eventually compromised, there may be thousands of potential sources of the breach, making it impossible to pinpoint the user who was compromised and to address any fallout from that compromise.

Make sure you have a policy banning account sharing!  And make sure it’s enforced – if there’s a big list of exceptions many will assume that means the policy is just an IT fig leaf.  That’s especially true if exceptions are handled on an “unofficial list.”

#5 – Report agency departures to IT

“Ghost accounts,” or accounts of former employees, are among the most likely accounts to be successfully breached.  These accounts are often retained by mistake, because of a failure to report a departure to IT or a failure to follow through on disabling the user account.  Unfortunately, some ghost accounts are intentionally retained to allow the employee inheriting the departee’s job functions to access a privileged resource.

Whether the ghost account was left active intentionally or unintentionally, it’s not likely to be used daily.  In fact, ghost accounts can go for months without any employees monitoring how or when they’re being used.  Sometimes teams forget that the account even exists.  This is a perfect target for a cybercriminal – an unmonitored account that’s more likely than most to have elevated access to at least one resource.

To prevent active ghost accounts, make sure there’s a process in place to quickly delete or disable accounts for any employees leaving the agency.  At many agencies, the most important part of this process is informing the IT department of the employee’s departure, because they can quickly terminate most or all the departing employee’s accounts. 

Sometimes, a ghost account is necessary for a short period because agency employees do sometimes inherit a quickly-departing employee’s job functions.  If a departing employee’s account credentials are provided to another employee to allow them to access a resource, make sure that the account has a deletion date assigned to it.   The current employee’s access should be provided through their own account as quickly as practical and the former employee’s account should be disabled or deleted.

To learn how CMTS can help your agency close cases more effectively and securely, call us at 855-667-8877 or email us at