If you are a loyal follower of this blog and are reading this when it is hot-off-the-presses, the weekend is upon us -- and one thing that means, is that a whole bunch of Shadow IT is about to be born. We've covered Shadow IT before on this blog, but today's post is different. It's about -- specifically -- why weekends are an extremely common time for Shadow IT to expand.
First, lets establish that most Shadow IT ends up getting its start from well-meaning employees. It's almost never devious or malicious. It's almost always an employee who is in a pinch to get through some important job responsibility and feels that a particular tool would help them achieve it faster/better. And in this day and age, many of those tools are webapps with free trials, or free-tier service levels. So, when a well-meaning employee genuinely trying to do their job better creates an account on a site that the company doesn't have any relationship with, it's usually an innocent attempt to achieve something on behalf of the company. But, it's still Shadow IT.
As a brief reminder, part of where Shadow IT goes wrong, is when credential stuffing attacks cause some particular 3rd party webapp's credentials to lead to account breaches on more crucial/sensitive systems. It also goes wrong when employees unexpectedly leave the company, and the 'new guy/gal' tries to figure out what webapp the prior employee used for some particular business function. There are other ways that Shadow IT causes trouble, but those are two examples that are top-of-mind for most cybersecurity professionals dealing with Shadow IT.
So, what does the weekend have to do with Shadow IT? Anything at all?
We've established that most employees that end up initiating Shadow IT aren't doing it to be devious. They are doing it for legitimate business motivations. So, when those same employees find themselves popping into their work obligations over the weekend and are in a pinch to solve some particular challenge, what are the chances that they'll interrupt their manager on a Saturday night to ask permission to create a particular web account on some previously-unknown service provider's platform? We'll answer that for you: the chances are ZERO. Or, so close to ZERO that it rounds to ZERO.
No rational employee wants to interrupt their manager's weekend to ask for permission to use a free-level 3rd party webapp. Employees simply proceed and assume that they'll ask for forgiveness later, if it ever becomes a problem.
At Havoc Shield, we're realists. We're not expecting that Shadow IT stops in it's tracks. We know that it's a reality of life in companies these days. But, there is a reasonable compromise to be had.
Savvy companies implement business-grade password managers (every Havoc Shield account comes with a Keeper Security license), and helping employees understand the convenience and safety of a business-grade password manager is a huge step towards getting a handle on Shadow IT. How so? The mere process of storing credentials to every account in a sophisticated password manager, is the pathway towards making sure that there is institutional knowledge about which applications the company relies on. For example, by doing a vault transfer from a departing employee to an IT manager or to the employee's replacement, containing the credentials to important systems (even the Shadow IT ones) that the former employee relied on.
There is much more that can be done to tame the beast of Shadow IT, but a business-grade password manager is a huge headstart. We'll write more about other best practices in upcoming posts.