63% of enterprise professionals have created at least one account without their IT department being aware of it, and two-thirds of those have created two or more, the results of a recent 1Password survey have revealed.
Even more worryingly, only 2.6% of these 63% use a unique password when they create a new shadow IT account at work and just 13% use a password generator – the rest re-use a memorable password or use a pattern of similar passwords.
The danger of shadow IT and weak passwords
As we wait for a more authentication secure solution to find its way into mainstream usage and achieve widespread acceptance, we have to find a way to minimize the risks that come with password use.
For enterprises, one of the risks is tied to shadow IT: the IT systems/solutions used by its employees without their use being authorized and supported by the IT department.
“Say Carlos [in marketing] populates Airtable with customer data for his email campaigns, and Anita [in legal] checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about,” 1Password CEO Jeff Shiner explained.
“If one of these services suffers a breach, the company won’t know it affects them, which leaves them powerless to secure their data after the event. It also means they’ll be unable to disclose it to their customers. This could leave any company facing costly fines and a huge loss of trust in its operations.”
Individual accounts could also be compromised by attackers if they are secured by weak an/or re-used passwords or it the employee shared the password with a colleague in an insecure manner – as most who have did:
Finally, former employees might retain access to their shadow IT accounts and their contents after they leave the organization.
“At worst, this company data could be shared with a competitor; at best, it’s left dormant and hidden, but it still puts the company at risk if the service is breached,” Shiner noted.
The pragmatic solution to the shadow IT problem is not banning it, but finding a way to bring it all back under the IT department’s control, he believes.
Promoting and encouraging the use of a password manager for creating strong, unique passwords for all accounts, storing them and sharing them securely can help with the unseen password problem.