Understanding and securing shadow IT for HR, finance, and marketing

Until recently, companies have been able to exert pretty comprehensive control over security and how people work – in an office, at a desk, with a desktop computer, and using company-provided software and servers.

But the days of protecting clearly defined perimeters from the threat of cyber attacks with strong network security and unforgiving firewalls are, for most companies, gone.

Today, thanks to hybrid work, the situation can be very different. Many companies have limited insight into where or how their employees are working. In the park? On a mobile device? Laptop? Using any number of apps and tools? Cybercriminals are taking advantage of the confusion.

This reduced control makes it imperative for information technology (IT) and IT security teams to understand where and why employees are using shadow IT, so they can find ways to protect employees from security threats no matter how or where they work.

Tracking employees’ shadow IT desire paths

Employees typically use shadow IT to be more productive. A great analogy for shadow IT is something called the “desire path” – a term landscape architects use to describe the shortcut footpaths pedestrians carve into public spaces that get them from point A to point B faster than “official” or paved walkways. (You’ve seen them. They’re the dirt paths that cut the corner on the way to the train station or shorten the walk from the parking lot to the playground, through the flower bed.)

Security solutions should secure that desire path. This means understanding departments’ responsibilities and workflows, and where employees may be using shadow IT to help them in their jobs. Don’t expect the paths to look the same, department to department. Shadow IT shows up differently across teams because it’s used to support distinct business operations, roles, and responsibilities.

IT and cybersecurity teams need to operate a bit like detectives to discover employees’ desire paths. You might be surprised to find shadow IT desire paths crisscrossing every department in your company.

Trying to stop the use of shadow IT and forcing employees to stick to the “official path” of company-approved tools isn’t a particularly effective strategy. The most realistic and effective shadow IT security strategy is to secure the desire path for each individual employee, so they can use shadow IT securely.

In other words, to protect against the risk of security breaches, embrace shadow IT – and secure it.

Shadow IT on the finance team

The finance team is typically high on the security team’s list because they literally has the keys to the bank. The finance team handles critical financial data such as the company’s banking credentials, and sensitive information like audit reports and financial reporting.

Sometimes finance employees need to share sensitive documents with external partners like investors, board members, or auditors. And if they do that through insecure channels like email or SMS, it could open the door to unauthorized access.

Typical finance team workflows and responsibilities include:

• Leading financial planning and management, forecasting, and risk management and mitigation
• Optimizing budgets
• Identifying cost-saving opportunities across the company
• Working with the audit committee
• Sharing financial reporting
• Ensuring adherence to compliance standards

With these finance team workflows in mind, where might shadow IT be lurking? Some typical information security vulnerabilities to investigate include:

• Services used often that aren’t supported by SSO, such as bank accounts
• Unencrypted emails or messaging applications used to share data with internal and external teams

Shadow IT on the HR team

The human resources (HR) team handles confidential employee information every day in its efforts to hire, develop, and retain talent for the company. HR also ensures the company is compliant with benefits administration and labor laws. In addition, they focus on creating and implementing employee management strategies, managing training and development programs, and fostering a positive workplace culture.

Typical HR team workflows and responsibilities include:

• Sharing sensitive information about employees with internal and external teams
• Managing the employee lifecycle, including a critical role in onboarding and offboarding
• Using and sharing credentials for recruiting/hiring platforms, employee background checks

Based on these workflows, here are some areas where you may find vulnerabilities due to shadow IT lurking in HR:

• Storage of sensitive employee data, including personally identifiable information (PII)
• Recruiting/hiring platforms or apps
• Employee benefit vendor platforms
• Unencrypted emails sharing confidential data with external vendors or consultants

Shadow IT on the marketing team

The marketing team handles more sensitive data and information than you might expect. This might include campaign spending and reporting data, as well as customer information.

They also are on the front lines of social media and may be using multiple platforms or apps for customer support or top-of-funnel customer acquisition. As the guardians of your company’s brand reputation, it’s critical that marketing’s accounts aren’t compromised.

Typical marketing team workflows and responsibilities include:

• Working with cross-functional teams to generate leads
• Reporting campaign details, such as budget and ROI
• Working with external agencies or freelancers, with whom they often need to share credentials
• Generating and posting marketing and thought-leadership content

Knowing marketing’s responsibilities, it can be useful to check the following for information security risks and shadow IT use:

• Services used often that aren’t supported by SSO or don’t support multiple accounts or logins, such as social media platforms
• Unencrypted emails or messaging apps to share data or credentials across internal and external teams
• Apps for customer relationship management, project management, email marketing, and website analytics, many of which may not be covered by SSO

Securing shadow IT vulnerabilities at the employee level

Once you’ve identified the shadow IT desire paths for each team, then what? In terms of security measures or security tools, it’s most important for security professionals to secure credential sharing, as well as standardizing and securing access to apps and tools.

You can secure authentication, password management, and credential sharing using an enterprise password manager (EPM), which provides teams with a centralized solution to use, access, and share sensitive company data. It’s important that the EPM provides role-based access controls to ensure that users adhere to your company’s cybersecurity policies to defend against data breaches, cyberattacks like ransomware, and social engineering attacks like phishing.

EPMs can help you make the easy way to work the secure way to work. For example, EPMs can autofill time-based one-time passwords (ToTP) in addition to standard passwords. That enables security teams to require multi-factor authentication for providers that offer it, while at the same time streamlining the sign-in flow, rather than adding friction to it.

To learn more about shadow IT and how to secure it to reduce risk of security incidents, stay tuned. Now that we’ve covered what to look for in teams like HR, finance, and marketing, next we’ll discuss the unique needs of developers.

Jenn Marshall

Contributing Writer