I just saw the following article in one of my newsletters.
Heise Security, 10 Feb 2020: 63% of enterprise professionals have created at least one account without their IT department being aware of it, and two-thirds of those have created two or more, the results of a recent 1Password survey have revealed. Even more worryingly, only 2.6% of these 63% use a unique password when they create a new shadow IT account at work and just 13% use a password generator – the rest re-use a memorable password or use a pattern of similar passwords. “Say Carlos [in marketing] populates Airtable with customer data for his email campaigns, and Anita [in legal] checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about,” 1Password CEO Jeff Shiner explained. “If one of these services suffers a breach, the company won’t know it affects them, which leaves them powerless to secure their data after the event. It also means they’ll be unable to disclose it to their customers. This could leave any company facing costly fines and a huge loss of trust in its operations.” Former employees might retain access to their shadow IT accounts and their contents after they leave the organization. “At worst, this company data could be shared with a competitor; at best, it’s left dormant and hidden, but it still puts the company at risk if the service is breached,” Shiner noted. Promoting and encouraging the use of a password manager for creating strong, unique passwords for all accounts, storing them and sharing them securely can help with the unseen password problem.