Shadow IT Risks Rise as GenAI Tools Gain Popularity with Employees

Presented by Dashlane

Businesses have always faced the risk of data breaches, but today the threat has expanded to many levels, in part due to the rise of generative AI tools. Gartner recently found that the number of SaaS applications used per employee has doubled since 2019, and that a good portion of these applications are AI tools that employees use without IT oversight.

Unmanaged applications are not protected by controls such as single sign-on (SSO) or multi-factor authentication (MFA). There is therefore no visibility into whether these applications, which potentially contain sensitive data, are accessed with secure credentials, or what type of data. or intellectual property is disclosed across the wide Internet, using ChatGPT, Gemini and other tools.

“The explosion of SaaS applications in the cloud has created many gray areas for IT,” said Fred Rivain, CTO of Dashlane. “The effectiveness of username and password security depends largely on user participation, but today that is not enough. It’s not enough to have the classic password manager, or just MFA or single sign-on. You need all of this, and you also need to improve your credential hygiene across the organization.

The challenges of SSO, MFA and securing credentials

Of course, IT managers can control what they know, which is all their critical systems, and deploy SSO and MFA on top. But the challenge today lies not only in shadow IT, but also in the large number of tools that are not compatible with SSO. There’s also what security professionals call the “SSO tax,” or the fees vendors charge to add SSO integration. Identifying which tools need to be secure and adding SSO integration becomes a costly operation, both in time and money.

Many businesses forgo these costs, which is understandable when faced with an average of 53 credentials not automatically covered by SSO (and it’s highly likely that many of those passwords are duplicates ), and that taking inventory of applications across the organization is a major undertaking. requiring buy-in from the C-suites. Meanwhile, small and medium-sized businesses are completely left out because they simply don’t have the resources to finance SSO integration.

Businesses of all sizes typically turn to individual, manual passwords because the initial adoption cost is much lower. Unfortunately, there are also significant hidden administrative costs, as well as profound security posture implications, because each of these credentials is a point of risk, and many of these risks are not visible.

“That’s why it’s critical to encourage employees to use a credential manager to generate a unique, complex password for these systems,” says Rivain. “This helps them develop good habits and authentication best practices. The hope is that employees will also add this protection to unauthorized apps they use, which is at least better than the alternative.

However, employees regularly use and share their credentials, both strong generated passwords and weak or compromised credentials that they design themselves. Getting them to understand the risk and stay informed about phishing attempts is often an uphill battle.

Adding Access Keys as a Security Layer

Access keys can add another level of security and help mitigate credential risks in certain areas of the organization, Rivain says. It is a form of passwordless authentication developed by the FIDO Alliance and supported by major technology companies. Access keys are always unique and strong and do not require storing private information on servers. A user is asked to prove their identity when they log in to a website or app. They could use biometric identification like a fingerprint or facial recognition to confirm their identity, or conversely, they could face a challenge from a credential manager. Once the user is confirmed, they are logged in automatically, no password is needed.

Access keys are much more secure than any password, are phishing-resistant, and cannot be stolen or guessed. From a liability perspective, because exposing customer data can lead to major legal issues for an organization, requiring employees to use passwords when possible significantly improves security. IT managers can explicitly encourage teams to use passwords wherever they are available in the tools they use – for example, the marketing group can switch to passwords for most social media platforms.

However, Access Keys as an enterprise solution is not yet ready for prime time use, says Rivain. They are not available for all tools or platforms, in particular. Additionally, it’s still a nascent technology, with some accessibility issues, such as a somewhat clunky user experience in Chrome and Apple, as well as issues with properly attesting the origin of access keys , difficult account recovery if an access key is lost, and no control over the location of the access key. is stored.

“Of course, IT administrators want this control. They want to know where they store the keys to the kingdom,” says Rivain. “There are many unresolved business use cases for passwords. This is part of the work of the FIDO Alliance which will also take time.

As more consumers adopt passkeys, which are supported by many websites, apps and larger technology companies, passkeys will become a more important part of discussions about business security. Rivain predicts that we will see complete passwordless solutions for businesses in the future, but the situation is still relevant.

“They’re not perfect, but they’re also a way to put guardrails around employees so they can’t accidentally reveal a password, and they’re going to use that technology because it’s more convenient and more secure,” he says. “This is why it is important that the industry continues to work on this subject and promote it. The adoption journey is going to be very long, but it’s better than what we had before.

What about business security? Insecure credentials such as passwords continue to pose a persistent and evolving threat to organizations, even with other protections in place. Businesses need a whole new approach to security and identification.

Changing the game in credential security

As the number and sophistication of attacks continue to increase, along with the number of invisible and unauthorized applications used by employees, even the best layered security strategy is not foolproof.

“We need to find a new approach, one that ensures that even employees who don’t think much about security are still protected, and we need to move to active protection rather than passive defense,” says Rivain. “This means going beyond traditional password management to keep each employee’s credentials secure in context and in real time. »

To this end, Dashlane has integrated detection, intelligence, and response capabilities into tools that provide maximum visibility into credential risks.

Dashlane’s Credential Risk tool continuously monitors company-wide credential data to detect risks in real time. When an employee enters a weak, reused, or compromised credential, or is about to enter their information on a suspicious website, the tool automatically sends an alert to IT. Dashlane Nudges automates the response to credential risks by sending personalized, automated messages to employees, alerting them to the risk and asking them to update their credentials.

With continuous analysis of application login methods, IT has much greater visibility into credential risks across all tools and systems employees use, authorized or unauthorized. At the same time, employees are encouraged to develop good safety habits throughout their day.

“There is a lot of potential in this new approach,” he adds. “We’re trying to approach the issue of credentials and security across the organization from a whole new perspective, adding an extra layer of critical protection to a robust security strategy. »

Go further: Click here to learn more about credential risk detection, Dashlane Nudges, and other powerful security tools for businesses.

To discuss purchases, visit Dashlane here.

Sponsored articles are content produced by a company that pays for publication or has a business relationship with VentureBeat, and they are always clearly marked. For more information, contact [email protected].