Revenge of operational staff against IT management.
We are currently experiencing a rapid evolution in the volume of use of software in the Cloud (Saas) such as GSuite, Office 365, Teams, Slack etc… And it is not about to stop, as online software is becoming powerful, intelligent and frighteningly easy to access.
And it is this last point that poses a problem: ease of access. Every employee, every department manager, every manager can subscribe to an online software offer without having to inform the IT department.
Let’s take a concrete example: a company’s sales director has heard about Salesforce. He doesn’t necessarily see the point of discussing it with the IT department because :
- “I don’t want them sticking their noses into my sales figures.”
- “If it’s to get in the way of compliance, don’t bother!”
- “What is the relationship between IT management and my business tool??”
But this sales manager wants to get Salesforce up and running, so he subscribes and creates accounts for his entire team. If the IT department is informed, it will propose to him to implement SSO (Single Sign-On) to facilitate access to the software for users and to try to “integrate” Salesforce into the IT perimeter. This is exactly what the Sales Director is going to try to avoid in order to keep his independence, because for once he can create and manage his software independently and without being penalized by the lack of responsiveness of the IT team.
For this I will give you 4 key measures to rebalance your relationships with users and thus restrain the shadow it.
Let's go for shadow it!
What is shadow it? It is the implementation of applications or software by employees without going through the IT department. This creates a software no-man’s land and thus a breach for cyber attacks!
“The worm is in the apple”
That’s it: an external tool has entered the company, outside the control of the IT management and entirely managed by the operational staff.
Salesforce is a good example, but there are many others, such as software from the marketing department (Buffer, Mailchimp…), or the Finance Department (Chart.io, Tableau…).
But then what is the problem? There is none, as long as the users are part of the company and the managers manage the access rights correctly.
It is the turnover of employees that will create a gaping security hole: users who leave leave leave behind a myriad of accounts open on business tools.
Of course, the processes are rather well established in the IT department to close accounts on the IT backbone systems: Active Directory accounts, email accounts and instant messaging accounts are properly closed. But there are still those dozens of accounts, spread over dozens of tools that remain open for months or even years after the employees to whom they belonged have left.
For the IT department, another less secure but more cost-oriented aspect comes into play: uncontrolled software expenses.
Indeed, what did the sales director negotiate? Is he aware of the stakes involved in complying with licenses? Will he keep his licenses up to date? And above all, what is his commitment?
All this weighs in the balance when we know that expenses related to licenses and software represent 30 to 40% of IT costs.
It is not uncommon to see an employee leave and his license will continue to be billed until a financial controller or “account review” reveals this unnecessary expense.
This unlisted software from IT management
“The Long Tail”
It is this long tail that is difficult for the IT department to manage: 20% of the tools represent 80% of the accounts, so it is the remaining 20% of accounts that are spread across many tools, in different departments.
However, this long tail represents an increasingly important danger to IT security. A former employee who still has access to Salesforce has access to the up-to-date database of prospects with a lot of qualified information and will use it for the benefit of his current company (probably a competitor of his former company).
A former marketing trainee, if he still has access to Mailchimp (an emailing tool) can send a mailing to the 10,000 subscribers of your newsletter with the message he wants. If he left on bad terms, I let you imagine what he can do.
In the same way, by still having access to the CMS platform of the company’s website, a former collaborator can modify the pages of your website in an imperceptible way (by modifying links, adding deep pages…) which will result in the degradation of your search engine optimization, the diversion of traffic or a deterioration of your brand.
How do you protect yourself from shadow it?
The best method is based on 4 points:
1. Make an inventory of software and accounts
Establish a list of software used (and keep it up to date). List the accounts for each software, and at an appropriate frequency, list the users with accounts. There are solutions to get a global view of the tools in place in the company and to automate the allocation of licenses such as Youzer.
It can be useful to use security scanning tools or “sniffers” (such as Kismet, Wireshark …) to analyze the flow of unknown software in the company.
2. Reconcile accounts and users
The essential point is to reconcile (in accounting we call this lettering) between the different accounts and users from recent HR information. This makes it possible to identify users who have left but still have an active account.
This will significantly reduce your software and application expenses. You’ll spot duplicate accounts, licenses that can be reassigned to a new user, poorly negotiated contracts, and even applications with the same functionality.
3. Host Shadow IT
Any reticence or ideological or technical restraints that you express in front of the users will be as many reasons for them not to inform you of the implementation of the new tool that they have discovered and that they are going to implement on their side.
Don’t blame your collaborators either, they didn’t want to voluntarily harm the company and don’t criticize their software choices, they probably have their reasons.
To create a virtuous circle, make them aware of the dangers of the IT department’s failure to control applications. For the purchase, simply look at the terms of the contract, renegotiate it if possible and discuss it with those who put it in place to find a common point of agreement. A department may find an application that saves them a lot of time on certain tasks and you can promote it to the rest of the company for a gain in productivity. This approach would be very rewarding for everyone. Your positive and understanding reaction will lead to a much better relationship with the next application acquisition.
4. Dialogue, exchange and build trust
Don’t shut down when a user requests software from you. If he asks you, he needs it. If you have any doubts, discuss with them the interest in their work, on other tools already in place to reach a consensus.
If you reject a software without discussion from the start, there is a very, very good chance that the user will implement it without any security and compliance checks.
Do you want to create a climate of trust? Organize regular meetings with managers and decision-makers to create a dialogue. You will be able to raise their awareness, explain the consequences of certain actions and your constraints. They themselves will be more understanding and inclined to an open exchange.
If during these meetings, there is systematically an open study of the different software requests, then your employees will be in a very different approach.
This also applies to areas other than access accounts: security badges, company bank cards entrusted to employees, keys to the premises, etc…
How do you manage shadow it in your company?