Shadow IT and former users: The IT manager's nightmare

Publié :

10/2021

| Mis à jour le

-
Articles
>
Cybersecurity
Identify and stem shadow IT in the company, what to do when you are CIO? 4 solutions to control the wild installation of software in your company.

Summary

💡 : It is possible to listen to this article! Find the audio at the bottom of the page 🎧

The phantom menace: the revenge of operations against the IT department

We are currently experiencing a rapid increase in the volume of use of software in the Cloud (SaaS) such as Google Workspace, Microsoft 365, Teams, Slack etc... And this is not about to stop, as online software becomes powerful, intelligent, and remarkably easy to access.

It is actually this last point that is problematic: ease of access. Each employee, each department head, each manager can subscribe to an online software offer without informing the IT department.

Let's take a concrete example: the Sales Director of a company has heard about Salesforce. He doesn't necessarily see the point in discussing it with the IT department because:

  1. "I don't want them sticking their noses into my sales figures".
  2. "If it's to get in our way with compliance, there's no point!"
  3. "What is the relationship between IT and my business tool? "

But this Sales Director wants to implement Salesforce, so he subscribes and creates accounts for his entire team. If the IT department is informed, they will offer to implement SSO (Single Sign-On) to facilitate access to the software for users and to try to "integrate" Salesforce into the IT perimeter. This is exactly what the Sales Director will try to avoid in order to maintain his independence, because, for once, he can manage his software independently and without being penalized by the IT team's lack of responsiveness.

To do this, I am going to give you 4 key measures to rebalance your relationships with users and thus stem shadow IT.

On the road to shadow IT!

What is shadow IT? It is the implementation of applications or software by employees without going through the IT department. This creates a software no man's land and therefore a breach for cyberattacks!

The rot is within.

That's it: an external tool has entered the company, outside of all IT department control and entirely managed by the operational staff.

Salesforce is a good example, but there are many others, such as marketing software (Buffer, Mailchimp, etc.) or Financial Department software (Chart.io, Tableau, etc.).

But then what's the problem? There isn't one, as long as the users are part of the company and the managers correctly manage access rights.

Employee turnover creates a gaping security breach: departing users leave behind a myriad of open accounts on business tools, which are known as ghost accounts.

Of course, the processes are rather well established in the IT department for closing accounts on the core IT systems: Active Directory accounts, email accounts, and instant messaging accounts are properly closed. But there remain these dozens of accounts, spread across dozens of tools, that remain open for months, or even years after the departure of the employees to whom they belonged.

For the IT department, another less secure but more cost-oriented aspect comes into play: uncontrolled software expenses.
Indeed, what did the sales director negotiate? Is he aware of the issues regarding license compliance? Will he keep his licenses up to date? And above all, what is his commitment to the software?
All of this weighs in the balance when we know that expenses related to licenses and software represent 30 to 40% of IT costs.
It is not uncommon to see an employee leave and their license continue to be billed until a management controller or an "account review" reveals this unnecessary expense.

These unlisted software by the IT department

The long tail

It is this long tail that is difficult for IT departments to manage: 20% of the tools represent 80% of the accounts, so it is the remaining 20% of accounts that are spread across many tools, in different departments, that cause problems.

However, this long tail represents an increasingly significant danger to IT security. A former employee who still has access to Salesforce has access to the up-to-date database of prospects with a lot of qualified information and will benefit his current company (probably a competitor of his former company).

A former marketing intern, if they still have access to Mailchimp (an emailing tool), can send a mailing to the 10,000 subscribers of your newsletter with the message they want. If they left on bad terms, I'll let you imagine what they could do.

Similarly, by still having access to the company's website CMS platform, a former employee can modify the pages of your website imperceptibly (by modifying links, adding deep pages, etc.), which will result in the degradation of your SEO, traffic diversion, or damage to your brand.

How to prevent shadow IT?

The best method consists of 4 points:

1. Inventory software and accounts

Establish a list of software used (and keep it up to date). List the accounts for each software, and at an appropriate frequency, list the users who have an account. There are solutions to obtain a global view of the tools in place in the company and to automate license assignments such as Youzer's.
It may be wise to use security scanning tools or "sniffers" (such as Kismet, Wireshark...) to analyze the flows of unknown software in the company.

2. Reconcile accounts and users

The essential point is to reconcile (in accounting, this is called matching) the different accounts and users based on recent HR information. This allows you to identify users who have left but still have an active account.
This will significantly reduce your software and application expenses. You will identify duplicate accounts, licenses that can be reassigned to a new user, poorly negotiated contracts, and even applications with the same functionalities.

3. Accommodate shadow IT

Any reluctance or ideological or technical obstacles that you express to users will be reasons for them not to inform you about the implementation of the new tool they have discovered and will implement on their own.

Also, do not blame your employees; they did not intentionally want to harm the company, and do not criticize their software choices; they probably have their reasons.
To create a virtuous circle, educate them about the dangers of applications not being controlled by the IT department. For purchasing, simply look at the terms of the contract, renegotiate it if possible, and discuss it with those who implemented it to find common ground. A department may find an application that saves them a lot of time on certain tasks, and you can promote it to the rest of the company for a gain in productivity. This approach would be very rewarding for everyone. Your positive and understanding reaction will lead to a much better relationship the next time applications are acquired.

4. Engage in dialogue, exchange information, and build trust

Do not dismiss a user's software request. If they are requesting it, it is because they need it. If you have doubts, discuss its relevance to their work and other tools already in place to reach a consensus.
If you immediately reject software without discussion, it is highly likely that the user will implement it without any security and compliance controls.

It's simple, see for yourself:
A user: « Hello, I saw this software for managing my accounts, I think it's great. »
You: « There is already something in place, it's very good as it is (and if I had to take everything that is offered to me, I would not be able to cope…).
Result: the user leaves hurt and you can be sure that next time he will take it without talking about it.
Alternative, you: « Interesting, what do you like about this software? Do you know that we have ….. at the moment? What's wrong? Can we see the pros and cons of both before making a choice? »
Result: you have valued and listened to his proposal and you know what? It may even be a great solution what the user brings!

Be attentive

Do you want to create a climate of trust? Organize regular meetings with managers and decision-makers to create a dialogue. You will be able to raise their awareness, explain the consequences of certain actions and your constraints. They themselves will be more understanding, inclined to an open exchange.
If during these meetings, there is systematically an open study of the various software requests, then your employees will be in a completely different approach.

This also applies to areas other than access accounts: security badges, company bank cards entrusted to employees, keys to premises, etc.

Are there solutions that would facilitate these 4 points? Yes and no.
Yes, there are solutions that allow a visualization of current active, suspended, and unassigned licenses. Yes, you can have feedback on an active account of a user who has left with identity and access management solutions like Youzer.
However, there is no solution to establish a relationship of trust and respect between employees and the IT department. It is up to you to create this space of trust.

How do you manage shadow IT in your company?

If you are interested in having simplified license management and feedback on anomalies, such as an active account of a departed user, I invite you to schedule your demo to see how, without any action on your part, all this information is available in your dashboard.

Besoin d'évaluer le coût d'un projet d'IAM ?

Téléchargez ce livre blanc sur le coût de l'inaction dans l'IAM :

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

Recommended Articles

SSO, Single Sign-On: obvious choice or bad idea?
NIS 2 regulation, let's take stock of the issues, obligations and sanctions
5 good reasons why you'll love MFA/2FA