Why training and policy will never stop agent credential sharing

When HCL Technologies disclosed in October 2023 that unauthorised access had compromised client data across multiple service accounts, the breach highlighted a persistent vulnerability that training programmes and policy documents cannot address: the fundamental architecture of how credentials work in business process outsourcing.

The incident, affecting one of India's largest IT services companies, exemplified a pattern seen repeatedly across the BPO and managed services sector. Despite comprehensive security awareness programmes and stringent access policies, the underlying problem persists because organisations continue to operate on a flawed assumption: that users can be trusted to create, manage and protect their own credentials.

The credential sharing epidemic in managed services

In BPO and managed services environments, credential sharing operates as an unofficial standard practice. Service desk agents routinely share login details to expedite client support. Operations teams distribute administrative passwords through messaging platforms to maintain service continuity during shift changes. Project managers circulate system access credentials to temporary staff to meet client deadlines.

This behaviour persists not despite security training, but because the operational demands of managed services create irresistible pressures to circumvent individual credential management. When a client-critical system requires immediate attention at 3am and the designated administrator is unavailable, service delivery teams will share credentials to maintain contractual SLAs.

The practice becomes institutionalised through practical necessity. Teams develop informal protocols for credential distribution that operate parallel to official security policies, creating shadow access management systems that remain invisible to security audits and compliance reviews.

The scale of credential compromise

Recent data illustrates the magnitude of this challenge. Verizon's 2023 Data Breach Investigations Report found that stolen credentials were involved in 49% of all security incidents, with the professional services sector experiencing credential-related breaches at rates 23% higher than the cross-industry average.

IBM's Cost of a Data Breach Report 2023 revealed that compromised credentials contributed to breaches costing an average of $4.62 million per incident in the business services sector. The report identified credential theft as the second most expensive attack vector, behind only phishing.

Specifically within managed services environments, Ponemon Institute's 2023 Third-Party Risk Management Study found that 67% of organisations experienced at least one data breach caused by a third-party vendor in the past 12 months, with credential compromise representing the primary attack vector in 34% of cases.

The UK's Information Commissioner's Office reported that financial penalties for data breaches in the business services sector increased by 156% between 2022 and 2023, with inadequate access controls cited as a contributing factor in 78% of investigated incidents.

Why existing security frameworks fail

Current identity and access management solutions operate on the principle that users should control their own credentials. Single sign-on platforms, privileged access management systems, and multi-factor authentication tools all assume that individuals can be trusted to create, store and protect their authentication secrets.

Zero Trust architectures, despite their comprehensive verification protocols, still rely fundamentally on user-controlled credentials for initial authentication. The "never trust, always verify" principle breaks down when the verification mechanism itself depends on credentials that users can freely share, copy or distribute.

Multi-factor authentication adds layers to the authentication process but cannot prevent credential sharing when operational pressures demand it. Teams simply share both passwords and authentication devices, or distribute MFA bypass codes through unofficial channels.

Privileged access management systems attempt to control high-value credentials through vaulting and session recording, but these solutions typically cover only a subset of system access points. The majority of business application credentials remain under user control, maintaining the fundamental vulnerability.

Identity governance platforms provide visibility into access patterns and can identify anomalous behaviour, but they operate retrospectively. By the time suspicious credential usage is detected and investigated, the operational damage has typically occurred.

The structural solution: organisational credential control

The persistent failure of training and policy to prevent credential sharing indicates that the problem requires a structural rather than behavioural solution. Instead of attempting to modify user behaviour through education and enforcement, organisations must remove the ability for users to create, access or share credentials entirely.

This approach involves shifting credential generation, distribution and management from individual users to organisational systems. Rather than allowing users to create passwords, passphrases or authentication tokens, the organisation generates all credentials centrally, distributes them in encrypted form, and maintains exclusive control over their lifecycle.

Under this model, users never see or handle their own credentials. Authentication occurs through encrypted credential injection that bypasses user visibility entirely. Users cannot share what they do not possess, and credential theft becomes impossible when the target credentials exist only in encrypted organisational vaults.

MyCena's patented technology implements this structural approach by intercepting authentication requests and injecting encrypted credentials directly into login processes. Users authenticate to systems without ever seeing or controlling the underlying credentials, making sharing technically impossible rather than merely prohibited.

This architectural shift addresses the root cause of credential sharing rather than its symptoms. Instead of relying on user compliance with security policies, the system eliminates the technical capability for users to compromise credentials through sharing, copying or theft.

Implications for managed services organisations

For BPO and managed services providers, implementing organisational credential control offers several strategic advantages beyond security improvement. Client audit requirements become significantly easier to satisfy when credential management can be demonstrated through technical controls rather than policy documentation.

Regulatory compliance with frameworks including SOC 2, ISO 27001, and sector-specific requirements becomes more straightforward when credential access can be logged, monitored and controlled at the organisational rather than individual level.

Operational efficiency improvements emerge when teams no longer need to manage password complexity requirements, rotation schedules, or recovery processes for forgotten credentials. Service delivery teams can focus on client requirements rather than credential administration.

Most importantly, the shift removes the inherent tension between security requirements and operational demands that drives unofficial credential sharing practices. When secure access becomes technically simpler than credential sharing, organisational behaviour aligns naturally with security objectives.

The evidence suggests that training and policy approaches to credential security have reached their effectiveness limit. Organisations that continue to rely on user behaviour modification while maintaining user-controlled credential architectures will continue to experience the security incidents that such approaches cannot prevent.