Shadow IT: when users go against the IT department. The reasons, consequences, and solutions to stem these ghost accounts -> Shadow IT, also known as ghost accounts, refers to the use of tools and software by business teams without prior authorization from the IT department. These IT resources have not been provided by the company and are therefore used unofficially, in the shadow of the IT department, which has no visibility.
In what context does shadow IT develop?
Shadow IT doesn't just happen in companies; there are reasons for it.
And no, your employees don't want to harm the company!
On the contrary, they want to benefit from new tools to work more efficiently.
Sometimes, the solutions offered by the company may be too rigid or not fully meet the expectations of users.
By searching for external solutions, users can find tools better suited to their needs. They are easy to implement, often SaaS solutions, sometimes free or at a very attractive price with trial periods.
Users are used to downloading and testing personal applications on a daily basis, so it is relatively tempting to test professional tools for work in just a few minutes.
Therein lies the problem: the user will create accounts on several tools by entering and storing professional and confidential information without the IT department being informed. For example, a user wishing to store documents in the cloud and access them anywhere could create a OneDrive.
Due to the proliferation of accounts created, security vulnerabilities appear.
But why not go directly to the IT department and go through the established internal processes?
Because it's long... Far too long. The steps that users have to take are restrictive.
When a user has an urgent need and cannot wait for traditional administrative procedures, creating an account outside of established processes becomes appealing.
In addition, it sometimes happens that officially formulated requests are refused after a superficial analysis by the IT department.
It is in this climate that users may violate the rules.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
Why do user practices go against the rules established by the IT department?
It seems that users and the IT department are struggling to find common ground and respect the established rules.
- The IT department cannot track which accounts have been created and on which devices.
- Users do not dare or do not want to communicate their needs to the IT department.
But what prevents good cohesion between the user and the IT department? Can't they live together hand in hand in harmony? 🙁
If the IT department is not sufficiently flexible and open to suggestions, users are tempted to bypass the rules to choose tools that suit them best without being constantly monitored. Some professions require a minimum of confidentiality; for example, in accounting, employees or managers do not necessarily want the IT department to be aware of information that does not concern them.
They may feel patronized if they feel that the IT department is trying to control and restrict their actions.
These user actions are dangerous for the company's security. By circumventing the rules established by the IT department, a user could, for example, create orphaned accounts undetectable to the IT department, or a manager could purchase licenses and not use the ones that are provided by default.
But that's not all.
Users are not always aware that there are regulations related to the use of tools or technologies within the company. If the IT department does not communicate clearly and effectively about the regulations and does not provide adequate training, users may become lost and unknowingly adopt non-compliant practices.
A user should know what they can and cannot do. Can they send professional emails? Store data on their USB drive? Use cloud services?
These grey areas need to be clarified through discussions between users and the IT department.
Finally, if the regulations established by the IT department are too restrictive and unsuitable for the user, particularly due to overly lengthy processes, users will be incentivized to engage in Shadow IT.
The factors that have increased shadow IT in recent years
Shadow IT should not be seen as occurring in companies solely due to users and IT departments. External factors also have a significant impact.
Firstly, the rise of SaaS solutions and the Cloud has played a major role in the increase of Shadow IT. Thanks to innovative and varied offerings, SaaS is very accessible with attractive prices for both personal and professional use. The advantages of SaaS solutions lie in their rapid deployment and availability on all types of devices, whether it is a computer, a tablet or a telephone.
Next, with the development of telecommuting, users often find themselves mixing their professional and personal tools and devices. For example, they may use their work computer for personal tasks or vice versa.
The lack of supervision and precision regarding the rules to be followed during teleworking gives users a certain flexibility and freedom to test unregulated tools on their devices.
Humans create shadow IT in their practices, but connected devices that appear harmless can also create it! This is called shadow IoT.
These devices, which seem harmless at first glance, are a boon for hackers looking to enter the company's network. Whether it's a simple coffee machine, a connected speaker, office equipment such as a printer or photocopier, they are often implemented without the necessary security controls, at the level of company standards, and are configured using easy-to-decipher logins and passwords.
A cyberattack occurred on a casino that experienced a major security flaw due to Shadow IoT. As explained by Le Figaro in its article, this establishment was hacked because of a connected thermometer in an aquarium. The hackers used it to enter the network and then access the database.
Both Shadow IT and Shadow IoT present challenges for the IT department in terms of management, security, and compliance.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
Control Shadow IT
Shadow IT is only increasing in companies, and its total elimination is not feasible. So yes, we can bury our heads in the sand, but that's not the solution.
If Shadow IT needs to be controlled, it's for:
1. Avoid security breaches
The unauthorized use of unsecured software, applications and services can lead to potential security breaches within the company.
This practice will create openings in the information system that are not framed and known by the IT department, leading to cyberattacks.
2. Improved visibility for the company
As Shadow IT expands, it becomes difficult for the IT department to maintain control and have a complete overview of the technologies used by employees.
The difficulty in performing audits and knowing who has which licenses further exacerbates this problem. Without visibility into user accounts, the IT department is unable to effectively control license usage and take steps to optimize their use.
3. Access rights management
Shadow IT can lead to inefficient access rights management. Employees using unapproved solutions may be granted excessive or inappropriate permissions, increasing the risk of data leaks or breaches of information confidentiality.
To control Shadow IT, there are several solutions.
1. List software, accounts, and users in an IAM solution.
Implementing an identity and access management solution enables:
- control user privileges: by granting rights and privileges consistent with the user's functions
- Manage orphaned accounts: when an account is active but not linked to a user.
- detect duplicates: when an error occurs during account creation and another account is created without deleting the old one, which is still active
- Manage system accounts: accounts created by system administrators.
- Manage shared accounts: when multiple users use the same account on a tool.
IAM will not erase Shadow IT; that would be too simple. However, an access and identity management solution makes it possible to clean up its information system (delete orphaned accounts, duplicates, etc.) by framing system accounts and users.
2. Establishing a constructive dialogue between the IT department and users remains the most important step in slowing down Shadow IT.
To improve communication, you can:
- organize training sessions: Presentation of best practices regarding the use of the company's IT tools.
- Having mutual understanding: The IT department must listen carefully to the needs of employees to best meet them and, why not, adopt innovative and effective solutions. Users must also be more understanding of the dangers caused by their practices, more sensitive to the company's security, and more respectful of the IT department's decisions.
- Two-way communication: The IT department must communicate clearly and transparently about policies, the reasons for restrictions, and available alternative solutions. Employees can express their needs, while the IT department can provide information to guide them toward approved solutions.
- Quarterly meeting with departments: These meetings allow us to keep current solutions up to date and evaluate them, and to have regular monitoring of technological needs.
Conclusion
The development of shadow IT in companies is often the result of a lack of flexibility in the internal solutions offered by the IT department, restrictive administrative procedures, and frequent rejection of requests without in-depth analysis.
We can't get rid of it, pretend it doesn't exist.
It is important to strike a balance between user satisfaction and company security, by promoting a collaborative approach to reduce reliance on Shadow IT while meeting employee expectations for efficiency and technological innovation.
