Shadow IT: How to Mitigate Risks with a Password Manager
Shadow IT is inevitable.
With the consumerization of IT and the proliferation of cloud applications, maintaining control over your organization’s security is becoming increasingly difficult.
Unless you’re willing to slow employee productivity to a halt by demanding IT approval of every software and cloud application used for work, as well as all personal devices used in the office, then the chances are you’re better off working to mitigate the risks associated with shadow IT rather than trying to eliminate it altogether.
With that said, there is one way to mitigate the risks associated with shadow IT without impeding employee efficiency — invest in a password manager for your organization.
There is one way to mitigate the risks associated with shadow IT without impeding employee efficiency — invest in a password manager.
A password manager will ensure strong password behavior for all employees across all accounts. This includes all shadow IT apps and any personal accounts accessed at work, or used for work (like the company Twitter account).
There’s a reason shadow IT has grown to be so prominent in businesses across the globe.
It allows employees to increase their efficiency by using world-class tools that can be accessed with the press of a button. It enables collaboration and innovation.
Yet, as an IT professional, it’s something that you need to recognize and assess.
Mitigating the risks associated with employees using hundreds or thousands of shadow apps is possible with a password manager.
Using Shadow IT to Your Advantage
Ironically, a password manager is itself oftentimes a part of shadow IT.
And if you think about the primary catalyst behind the explosion of shadow IT — that employees want affordable, easy-to-use software that makes them more efficient, without going through the red tape of an IT department — you can use that to your advantage by implementing a password manager.
A password manager is affordable, easy-to-use, and employees will love how it makes them more efficient at work.
From an IT perspective, it gives IT a high-level view of employee’s security behavior and encourages strong password behavior across all employee accounts, including those that aren’t covered by an SSO or that aren’t even necessarily work accounts (like a personal Airbnb account that’s used by a traveling employee).
[Read: PAM vs. SSO vs. Password Manager: Which is Best for Your Business?]
Essentially, a password manager allows you to put a fence around every account accessed by employees in your entire organization, regardless of IT’s intervention or knowledge.
In order to understand the benefits of a password manager as it relates to shadow IT, it’s important to take a step back and recognize the full scope of shadow IT and how it’s affecting your organization.
What is Shadow IT?
Shadow IT is any IT system, hardware or software, that’s used within an organization without the consent or knowledge of the organization’s IT department.
Shadow technologies include:
- All personal devices
- Unauthorized USB drives
Shadow applications include:
- Google Docs
- Dropbox
- Skype
- Evernote
- Instant messaging services
- Thousands of other cloud applications
“Shadow IT” isn’t just a name, it helps to define the problem.
Just like a shadow can extend far beyond the physical thing that can be seen, touched, or grasped, shadow IT often extends far beyond what any IT department can imagine.
In fact, according to Gartner:
- Shadow IT cloud usage is at least 10 times the size of known cloud usage
- The average organization uses over 1,400 different cloud services
- Of those 1,400 services, the average company uses 57 different file sharing services
- 80% of employees admit to using SaaS applications without IT approval
As an IT professional, these statistics are big red flags.
Let’s take a look at some of the risks associated with shadow IT.
Two Major Risks Associated with Shadow IT
While there are several risks associated with IT being left out of the shadow IT decision-making process, let’s focus on two major areas of risk that can be eliminated with the use of a password manager.
Risk #1: An employee reuses a compromised password from one of their personal accounts to protect a business account, enabling a savvy hacker to gain access to your corporate network
This scenario has played out numerous times in the past.
For example, the 2012 Dropbox breach was enabled by an employee reusing a password from his personal LinkedIn account — a password that had been compromised in the previous LinkedIn breach — to protect a sensitive company account.
Hackers buy lists of compromised passwords, and use software bots to test those compromised password and username or email combinations across every site.
Because of password reuse, hackers typically succeed in gaining access to additional accounts that wouldn’t have otherwise been breached had unique passwords been used.
In this scenario, a password manager would have notified the employee of password reuse across accounts, and suggested unique, complex passwords for each account.
Additionally, the IT admin would have seen a low security score for this employee and recommended updating weak or reused passwords.
Without a password manager it is simply impossible to prevent this type of behavior.
Risk #2: An employee uses a weak or reused password to protect an account that isn’t covered by the company SSO
This scenario, too, has played out numerous times in the past.
Take, for example, the hack that led to the official NFL Twitter account tweeting out the news that NFL Commissioner Roger Goodell had passed away.
Imagine the damage that could be done if a malicious hacker gained access to your organization’s social media accounts…the perpetrator would have complete control over public-facing company communications.
In the case of the NFL’s Twitter account, the password for the account was discovered through the hacking of a social media employee’s email which contained the password.
However, this too speaks to the value of a password manager.
With a password manager, all passwords are stored locally behind the highest level of encryption as well as an employee’s master password.
You can say goodbye to passwords that live in plain sight like an email inbox, or a post-it note on an employee’s desk.
Not convinced? Try a free 30-day trial of Dashlane Business and see first-hand the benefits provided by a password manager to defend against the security risks associated with shadow IT.
You can learn more about Dashlane Business here.
Sign up to receive news and updates about Dashlane