Shadow IT and legacy users: the nightmare of CIOs

François Poulet

|

Product Manager at Youzer

10/2021

Articles
>
Cybersecurity
What can you do if you're a CIO? 4 solutions to control unauthorized software installation in your company.

Contents

💡: it's possible to listen to this article! Find the audio at the bottom of the page 🎧

‍

The phantom threat: the revenge of operational staff against the IT department

We're currently seeing a rapid rise in the volume of use of cloud-based software (Saas) such as Google Workspace, Microsoft 365, Teams, Slack etc... And it's not about to stop, as online software becomes so powerful, intelligent and frighteningly easy to access.

In fact, it's this last point that poses a problem: ease of access. Every employee, every department head, every manager can subscribe to an online software offer without informing the IT department.

Let's take a concrete example: the Sales Director of a company has heard of Salesforce. He doesn't necessarily see the point of discussing it with the IT department because :

  1. "I don't want them sticking their noses into my sales figures".
  2. "If it's to get in our way with compliance, there's no point!"
  3. "What is the relationship between IT and my business tool? "

But this Sales Director wants to implement Salesforce, so he subscribes and creates accounts for his whole team. If the IT department is made aware of this, it will suggest setting up SSO(Single Sign-On) to facilitate access to the software for users and to try to "integrate" Salesforce into the IT perimeter. This is exactly what the Sales Director will try to avoid in order to maintain his independence, because for once he can manage his software independently and without being penalized by the IT team's lack of responsiveness.

To do this, I'm going to give you 4 key measures to rebalance your relationships with users and stem the shadow it .

On the road to shadow it!

What is shadow it? It's the implementation of applications or software by employees without going through the IT department. This creates a software no-man's-land, opening the door to cyber-attacks!

The worm is in the apple

‍

‍

That's it: an external tool has entered the company, outside the control of the IT department and managed entirely by operational staff.

Salesforce is a good example, but there are plenty of others, such as marketing department software (Buffer, Mailchimp...), or finance department software (Chart.io, Tableau...).

So what's the problem? There is none, as long as users are part of the company and managers manage access rights correctly.

It's staff turnover that creates a gaping security hole: users who leave leave behind a myriad of open accounts on business tools, known as ghost accounts.

Of course, the IT department has fairly well-established processes for closing accounts on core IT systems: Active Directory accounts, e-mail accounts and instant messaging accounts are properly closed. But there are still dozens of accounts, spread across dozens of tools, which remain open for months or even years after the employees to whom they belonged have left.

For the IT department, another less secure but more cost-oriented aspect comes into play: uncontrolled software expenditure.
Indeed, what has the sales manager negotiated? Is he aware of the stakes involved in respecting licenses? Will he keep his licenses up to date? And, above all, what is his commitment to the software?
All this weighs heavily in the balance when you consider that software and license expenses account for 30 to 40% of IT costs.
It's not uncommon to see an employee leave and his license continue to be billed until a management controller or an "account review" reveals this unnecessary expense.

Envie de voir une démo instantanée de Youzer ?  
View demo

Software that CIOs don't know about

The long tail

It's this long tail that's difficult for IT Departments to manage: 20% of the tools represent 80% of the accounts, so it's the remaining 20% of accounts that are spread over numerous tools, in different departments, that cause problems.

However, this long tail represents an ever-growing threat to IT security. An ex-employee who still has access to Salesforce has access to an up-to-date database of prospects with a wealth of qualified information, which he can pass on to his current company (probably a competitor of his former company).

A former marketing trainee, if he still has access to Mailchimp (an emailing tool) can send a mailing to the 10,000 subscribers of your newsletter with the message he wants. If he's left on bad terms, I'll leave you to imagine what he can do.

Similarly, by always having access to the CMS platform of the company website, a former employee can imperceptibly modify the pages of your website (by modifying links, adding deep pages...) which will result in the degradation of your SEO, the detour of traffic or a deterioration of your brand.

How to protect yourself against shadow it?

The best method is based on 4 points:

1. Inventory software and accounts

Draw up a list of software used (and keep it up to date). List the accounts for each piece of software, and at an appropriate frequency, list the users who have an account. There are solutions, such as Youzer's, for obtaining a global view of the tools in place in the company, andautomating the allocation of licenses.
It may be a good idea to use security scanning tools or sniffers (such as Kismet, Wireshark, etc.) to analyze the flow of unknown software into the company.

Would you like to receive our white paper on identity and access management?

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

2. Reconcile accounts and users

The most important thing is to reconcile (in accounting, this is called lettering) the different accounts and users based on recent HR information. This allows you to identify users who have left but who still have an active account.
This will significantly reduce your software and application costs. You'll spot duplicate accounts, licenses that can be reallocated to a new user, poorly negotiated contracts and even applications with the same functionality.

3. Embracing shadow IT

Any reluctance or ideological or technical obstacles you express in front of users will be reasons for them not to inform you about the new tool they have discovered and are going to implement on their own.

And don't criticize their software choices - they probably have their reasons.
To create a virtuous circle, make them aware of the dangers of the IT Department not controlling applications. When it comes to purchasing, simply look at the terms of the contract, renegotiate it if possible, and discuss it with those who set it up to find a common point of agreement. One department may find an application that saves them a lot of time on certain tasks, and you can promote it to the rest of the company for productivity gains. This would be very rewarding for everyone. Your positive and understanding reaction will engender a much better relationship the next time an application is acquired.

4. Dialogue, exchange and build confidence

Don't close yourself off when a user asks for software. If they ask for it, it's because they need it. If you have any doubts, talk to them about the benefits for their work, or about other tools already in place, to reach a consensus.
If you reject software out of hand without discussion, there's a very, very good chance that the user will implement it without any security or compliance checks.

It's simple, see for yourself:
A user: "Hello, I've seen this software to manage my accounting, I think it's great"
You: "There's already something in place, it's fine like that (and if I had to take everything that's offered to me, I wouldn't be able to manage...).
Result: the user leaves wounded, and you can be sure that the next time he'll take it without talking about it.
Alternative, you: "Interesting, what do you like about this software? You know we've got ..... right now? What's wrong with it? Can we see the pros and cons of both before making a choice?"
Result: you've valued and listened to his proposal and you know what? As it happens, what the user brings to the table is a great solution!

Be a good listener

Do you want to create a climate of trust? Organize regular meetings with managers and decision-makers to create a dialogue. You can raise their awareness and explain the consequences of certain actions and your constraints. They themselves will be more understanding, inclined to an open exchange of views.
If during these meetings, there is systematically an open study of the various software requests, then your employees will be in a completely different frame of mind.

This also applies to areas other than access accounts: security badges, company bank cards entrusted to employees, keys to premises etc...

‍

Are there any solutions that would make these 4 points easier for you? Yes and no.
Yes, there are solutions that allow you to view active, suspended and unassigned licenses. Yes, you can get feedback on an active account of a departed user with identity and access management solutions such as Youzer.
On the other hand, there is no solution for establishing a relationship of trust and respect between employees and the IT department. It's up to you to create this space of trust.

‍

How do you manage shadow it in your company?

‍

If you're interested in simplified license management and reporting of anomalies such as an active account of a party user, I invite you to schedule your demo to see how, without any action on your part, all this information is available in your dashboard.

RĂ©cap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

We have been unable to confirm your registration.
Your registration is confirmed! You'll receive your next RĂ©cap'IT at the end of the month 😊

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.

Hey! you know the drill :) We use anonymous data analysis cookies. By "Accept all cookies", you help us understand (anonymous) page views. Learn more about our privacy policy.