A study by Cisco found 44% of employees surveyed shared work devices without supervising them and 18% shared passwords.

Dark Reading reports on a study done by AdmitOne, a biometrics company, at one company found:

about 33 percent of the accounts on the network were being shared, and that there were 57 percent more users on the network than there were subscribed accounts

The AdmitOne numbers are interesting but have to be interpreted carefully. First, this was a result from a single company, unlike the Cisco survey which was a worldwide study. Second, we don't have details on how the AdmitOne study was done; did they actually contact users to determine if the authenticated users was the same person to whom the account is assigned? If they used their software, which analyzes typing patterns, to determine a mismatch between a user and their typing profile how did they control for false positives (looks like another user but really isn't) an false negatives (missed detecting an unauthorized user).

The more users than subscribed accounts number is telling. That's high and even with some caveats can be an indication of real account sharing problems. To know for sure if 57% reflects the actual number of unauthorized shared accounts in use we'd need to eliminate authorized shared accounts, like multiple application servers in a load balancing configuration all accessing a backend database using the same account, shared accounts on development servers (not a good idea but it happens), or limited authorization accounts used for utility purposes, like accessing shared reports.

What can we do? For starters, set a policy and train employees. The Cisco study found 43% of those surveyed didn't think they were training enough. Also set password policies. If passwords have to be reset every 45 or 60 days sharing can't go on long without having to share a password again.