Shadow IT refers to information technology (IT) projects that are managed outside of, and without the knowledge of, the IT department.
As companies reach to the “cloud” their enthusiasm for hasty adoption can suddenly be tempered by security, compliance, and governance concerns. Once this is reviewed and a plan of action made then adoption makes perfect sense. However it’s the shadow/ grey aspects that need further reviewing as this can happen any time.
Employees are always looking for ways to work more efficiently and effectively. This may include anything from installing an application to check for grammar and spelling in documents, to using their mobile phone to quickly answer emails, to using a cloud file storage solution to easily send large files to colleagues and third parties. Although these digital technologies may improve productivity, or make it easier for employees to work remotely, if a business’s IT team does not have visibility of these tools, it can pose a significant security risk. This concept is called Shadow IT and in this article we discuss how this poses a security risk, and what businesses can do to combat Shadow IT.
What is Shadow IT?
Shadow IT refers to any devices, software and services used by employees of a business, without the ownership or control of their IT provider or IT departments.
In terms of devices, this may include using a personal mobile phone on a business’s network, or using an external hard drive to transport files between work and home. Some productivity application examples include Slack, Trello and Asana. For cloud storage, this may be using WeTransfer to send files, or storing company files on Google Drive or Dropbox. Other examples may include communication applications, such as Skype or other VoIP solutions. a
How does Shadow IT pose a security risk?
Although Shadow IT may increase productivity for employees, it can also be the cause of a cyberattack, as it expands the available attack surface, without the knowledge of the IT provider or team. Some potential issues include:
Lack of Visibility and Control
The main issue with Shadow IT is that, if an IT team is not aware of the technology, they cannot take the necessary steps to secure it. If an IT team is aware of the software employees are using, and there is a known security vulnerability, they are able to run the necessary patches to stay secure. If the IT team does not know, and the employee does not run necessary patches and security updates, they open the business up to falling victim to a cyberattack.
If employees are using devices that an IT team does not have visibility or control over, this also poses a security risk. When IT teams set up work devices, they do so in a manner that reduces the chance of the device being compromised.
Different industries have different regulations that business must comply with. However, regardless of the industry, Shadow IT increases the chance of businesses not meeting the necessary requirements. This is particularly pertinent to GDPR, as a business is required to delete a subject’s data if they request to do so. If an employee also has this data stored on a system that the IT team is not aware of and it is not deleted, this is a breach of GDPR.
Increased Risk of Data Breach or Leak
If employees are using cloud storage or cloud file transfer services, this increases the chance that the data will end up out of a business’s control. If these files are moved onto an employee’s personal cloud storage solution, and this account is compromised, it means there has been a data breach, which the IT team may not even be aware of.
What can businesses do to combat Shadow IT?
Shadow IT, by its very nature is difficult to detect and avoid, but there are steps a business can take to increase visibility, and reduce the risks associated with Shadow IT.
One method to combat Shadow IT is to continuously monitor your IT environment. By monitoring devices and network traffic, it can help identify where all company data resides. This also helps with knowing when a new device enters a network.
Often employees do not know they are not allowed to use non-approved software and services, so it is important to educate employees about the risks of Shadow IT. Businesses should also create a process whereby employees can easily apply to use software, devices and services, so they can still have the benefits of digital technologies, whilst allowing IT teams to take the necessary steps to keep the business secure.
Businesses should also have a defined BYOD policy and program. This ensures that employees know what devices they are allowed to use for business purposes and what devices can connect to the business’s network.
Finally, businesses should consider creating a formal digital transformation strategy. Although this will not stop all Shadow IT, it will ensure that employees have the best digital technologies to work effectively and productively. Digital transformation can also enable businesses to gain a significant competitive advantage.
Key Questions IT Security Should Be Able to Answer Related to Shadow IT Visibility and Control
- Which services are employees and business units using overall and in each category (examples: file sharing, social media, collaboration)?
- Which services are gaining in popularity and should be evaluated for enterprise-wide adoption?
- What is the risk level of each service in use?
- How effective are my firewalls and proxies at identifying cloud services and enforcing acceptable cloud use policies?
- Which redundant services are employees using, and are they introducing additional cost and risk or inhibiting collaboration?
- How do I quantify the risk from the use of cloud services and compare it to peers in my industry?
- Which services house sensitive or confidential data today?
- What are the security capabilities of the services storing sensitive data?
- Which partners’ cloud services are employees accessing, and what’s the risk of these partners?
Want to find out more?
If you believe that your business may be at risk due to Shadow IT, or if you are ready to take the next steps to improve your businesses security posture, contact us today.