If IT were a superhero, shadow IT would be its underestimated nemesis. That’s because today’s shadow IT — accounts that employees create without a business’s authorization or awareness — appears at first glance to be harmless. That makes the havoc it can wreak even more of a threat.
In the daily course of their work, employees often create accounts using their work email addresses, or use third-party tools that haven’t been vetted by IT departments. The end goal is to increase productivity. But, the practices involved with this kind of shadow IT can lead to cumbersome, and sometimes dangerous, security holes. Even worse, IT departments are often unaware of these flaws in the company armor.
This isn’t a minor issue. In a recent survey of over 2,000 business users, 62% of respondents said they’d created at least one account without involving IT. Another third said they reuse memorable passwords for new accounts. And 37% of respondents have shared passwords with a colleague over email, instant messenger, verbally or by another insecure method.
RELATED CONTENT: Shadow IT doesn’t have to be as dark as it sounds
Considering that just 2.6% of surveyed employees who have created shadow IT accounts use a strong unique password at every website, this practice of password reuse and sharing can create huge security nightmares for IT departments.
We all recognize that shadow IT is a problem. The question is what can IT departments do about it? After all, banning these accounts entirely can stifle productivity and creativity. But at the same time, employees need to be aware of the impact this kind of behavior has, as well as the associated risks, so they can use their best judgment when opening shadow IT accounts.
Here are steps that IT departments can take to have oversight over and encourage healthy habits for employees creating shadow IT accounts.
In nearly all cases, employees don’t create shadow IT accounts for malicious reasons. Rather, their intent is often positive: to increase productivity or otherwise become better at their jobs. The good news is that these employees are already interested in improving their behavior — that’s why they’re signing up for services like Asana, Trello, and AirTable.
When you train employees regularly about the threat of shadow IT, it will help change their perception of these “harmless” accounts, as well as insecurely sharing passwords with teammates and colleagues. When talking to your employees about good password and security habits, first demonstrate why it matters so that they’ll understand these aren’t just arbitrary guidelines. The understanding will go a long way towards encouraging compliance.
- Use a password manager
Creating strong, unique passwords for every account is crucial for securing your accounts. But, remembering those passwords is impossible — as evidenced by the study’s finding that so many respondents reuse them — and keeping track of them is a nightmare. An organization providing a password manager helps employees create and manage logins and passwords, while simultaneously improving security.
Even if hackers manage to obtain passwords from one of your employee’s other accounts (maybe a personal Instagram or an old blog password), those credentials are worthless, since the password manager generates unique passwords for each individual account.
Provide an enterprise password manager for all employees, and encourage secure sharing and good password behavior. Show them how to use it during training and onboarding, and install the manager on every employee’s personal computer. Most will see the benefit immediately and will also adopt the same technology for personal accounts — in fact, some enterprise password managers provide free personal accounts.
- Provide access
If employers make it easy to request access to necessary software, employees are less likely to create accounts outside the view of your IT department.
Establish a protocol for requesting access to apps, storage usage, subscriptions, cloud-hosted documents and whatever else your employees may need. It can be as easy as sending an email to IT requesting that the company subscribe to a specific outlet. Whatever your method, spending money on subscriptions and software the entire company can use is much less expensive than recovering from a data breach.
Implementing this protocol, even for free-to-use sites, is critical. Make sure that any employee training or new processes make it clear that even free-to-use sites are susceptible to breaches. Employees may think that they’re being proactive and helpful by creating a company event registration through a personal account, or quickly creating an account to access a free trial for a single project. However, if you create a culture of open communication with IT, then more account oversight and transparency will keep an organization safer from unforeseen attacks.
Shadow IT has become a significant threat to enterprise businesses and SMBs alike, but it’s surprisingly easy to neutralize. The biggest hurdle is getting employees to understand how impactful their actions are to the overall cybersecurity health of the company.
Visibility is key for combating shadow IT, but the very first step is creating awareness of the threat so that everyone — from IT managers to administrative staff — is on board with tightening the business’s cybersecurity.