How Shadow IT could put your organization at risk

Employees who create external accounts but use them internally pose a risk to your security, says password manager company 1Password.

How Shadow IT could put your organization at risk

The IT professionals at your organization likely put a lot of effort into making sure your internal accounts, logins, passwords, and systems are secure and protected. 

But what happens when an employee creates an external account without the knowledge of IT? That's known as Shadow IT, and a blog post published Thursday by 1Password explains why it presents a security risk.

SEE: Password Policy (TechRepublic Premium) 

The best way to illustrate Shadow IT is to paint a picture of it. Let's say a fellow employee wants to use a certain external service internally. Maybe that person wants to use Amazon to purchase products for the department, Uber to set up rides for people, Grammarly to check internal documents for errors, or Constant Contact to build email campaigns. The employee creates his or her own account with the external service, perhaps using a weak or insecure password.

Now, that employee starts sharing internal documents and information with the external service. If one of these services suffers a data breach or password leak, that puts the employee and potentially your organization at risk by exposing otherwise confidential data. And all this happens without the knowledge or management of your IT and security people.

In a survey of more than 2,100 adults in the US who work in an office with an IT staff and use a computer, 1Password found that 63% of respondents created at least one account in the past 12 months without the knowledge of IT. Further, 52% of those who did so created between two and five accounts, while 16% created more than five such accounts.


Image: 1Password

Shadow IT accounts pose other problems, according to the survey results. Some 37% of respondents said they shared an external account with a colleague. But it's the method of sharing the login information that could be risky. Almost 40% said they shared the account with a fellow employee via email, while 17% said they shared it through instant messaging.

But if the information isn't shared, and the employee with the Shadow IT account leaves the company, then other people can find themselves locked out of the account. Further, that employee likely will still have access to the account, and such information could even find its way into the hands of a competitor.

Employees who create Shadow IT accounts don't necessarily devise secure and different passwords for each site. Some 33% of the respondents said they reuse memorable passwords, while 48% said they use a pattern of similar passwords across the board. Fewer than 3% said they use a unique password for each site.

Banning Shadow IT altogether is one solution to this problem. But this measure would slow down employee productivity and innovation as it would require every person to get approval from IT before creating an external account.

One other solution naturally recommended by 1Password is to use a password manager. Many password managers now offer business level plans through which password policies can be centrally managed. And there are a variety of password managers to consider.

Besides 1Password, other effective programs are LastPass, Dashlane, RoboForm, and Keeper Password Manager. Though password managers aren't perfect, they're a viable solution until more effective biometric authentication methods become universal.

Also see

Press enter button on the computer. Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger Keyboard

Image: Getty Images/iStockphoto

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.