Yikes: 1 in 5 employees share their email passwords with coworkers

19% of employees of small and medium-sized businesses (SMBs) share their passwords with coworkers or assistants, according to a recent survey by IT consultancy Switchfast.

Switchfast surveyed about 600 small businesses about how cybersecurity works, or doesn’t work, for them. It spoke to the C-suite level leaders of the business about their own habits, as well as the habits of their employees. Among its findings was the stat about employee email sharing.

One could imagine that in an SMB, this kind of shared password might be used for a crucial central piece of technology, like team remote fileshare or a customer service email account.

And, of course, it’s very convenient to share passwords. But as Mark Stockley wrote in his article 4 password mistakes small companies make and how to avoid them, there are huge downsides:

1. If something bad happens you can’t tell who did it.
2. It makes your more vulnerable to social engineering.
3. It makes changing passwords too painful to bother with.
4. Everyone with a password can cause maximum damage.
5. You don’t know who else has your passwords.

On top of it all, those shared passwords are often weak – easily guessed, brute-forced, and/or possibly already compromised from an older data breach – so no matter what way you slice it, password sharing is risky for these small businesses and their customers.

Even folks at bigger firms make this easy mistake of reusing passwords: In 2016, Facebook’s Mark Zuckerburg had several of his own social media feeds hijacked, as they all used the same extremely guessable password, “dadada,” which was initially leaked via a LinkedIn data breach.

What’s also quite telling in this survey is that many of the C-level leaders reported bad habits at higher rates than their own employees — for example, 76% of the SMB leaders say they haven’t enabled multi-factor authentication, compared to 69% of SMB employees. (Here’s why 2FA is a good idea.)

In this case, people with higher privilege levels and greater access to sensitive information are doing less to secure that information, which is not great news for these businesses or any customer data they’re dealing with.

Another data point: About half of the SMB C-level leaders (51%) are “convinced” their business is not a target for cybercriminals, while only 35% of their employees are. That’s quite a gap. Do the leaders know something their employees don’t or is their picture of their company’s security not in tune with the on-the-ground realities?

All of this paints a picture of a potential double whammy for small businesses – there’s a lot at stake when a business is small, and the business likely has fewer resources than a larger company to deal with the fallout of a security incident.