Security blogs

Shadow IT Risks and How to Mitigate Them

Let’s assume that you decide to do some extra work at home. You build a database to address a company issue, put company data, customer information or just some innocuous information on your personal device to be more efficient at work. Maybe you even upload it into Google Drive or Dropbox for easier accessibility.

This is a good idea as you are working harder for the company and doing it in your own time, right?

This is called Shadow IT.

Shadow IT is one of the most worrying problems for all organisations, from small businesses to large enterprises. It creates additional challenges for the IT departments and often puts an organisation’s entire network at risk.

According to Gartner, by 2020, around 30% of successful attacks on enterprises will be on their unsanctioned shadow IT resources.

Hiding in the shadows

What is shadow IT?  – Basically, it’s any device, IT system, technology, or application that’s deployed and used without the approval of the corporate IT department. In some cases, personal devices including home computers, mobile phones, cloud storage and USB devices may also be considered part of shadow IT.

The most common examples of shadow IT are popular cloud services like Dropbox and Google drive and commonly used messengers like Viber and WhatsApp. However, what’s considered part of shadow IT mostly depends on a company’s corporate policy.

People turn to shadow IT for different reasons. The most common reasons for using shadow IT are:

  • Efficiency– Approved software and solutions can be (or at least seem to be) slower, less effective, and less productive than unsanctioned alternatives.
  • Compatibility– Corporate solutions may be incompatible with users’ personal devices.
  • Comfort– People tend to use software and solutions they’re used to.

Even though shadow IT often seems to be helpful to end users, it poses a serious threat to enterprises.

But why is shadow IT so dangerous?

The main threat posed by unsanctioned devices, software and applications that are hidden from IT and are unprotected and unaccountable.  You can’t effectively manage something that you don’t even know exists. As a result, both the security and performance of the entire network are put at risk.

Let’s take a closer look at the most common risks of shadow IT:

  • Lack of security– Lack of visibility and control over network elements are the main cybersecurity risks of using shadow IT. They create numerous weak spots that hackers may use for compromising a system and collecting or stealing sensitive business information. Plus, since unsanctioned software and applications aren’t managed by the IT department, they usually have lots of unpatched errors and vulnerabilities.
  • Performance issues– Certain products and solutions can be incompatible with the main components of the IT infrastructure, leading to serious performance issues.
  • Data loss– An IT department can’t create backups for software they don’t know is present in the network, while shadow IT users usually don’t think (or know) that backups are necessary. As a result, there’s always a significant risk of losing important, valuable, and sensitive data.
  • Compliance issues– Most businesses have several regulations, laws, and industry standards they need to comply with. The presence of unmanaged software makes it much harder for a company to meet these standards.

As you can see, shadow IT solutions can pose a serious threat to any company. Therefore, systems, technologies, and applications in use must be managed effectively in order to mitigate shadow IT risks. In the next section, we talk about popular solutions for detecting and managing shadow IT.

Should You Embrace Shadow IT? 4 Questions to Ask Yourself

Before embracing or restricting shadow IT, it is suggested CIOs ask themselves the following four questions:

  1. Is there a reason why a solution is inappropriate for the company?
  2. If users clearly feel they need a solution for rapid document sharing/online services/hardware, can this be included in the company’s IT policy?
  3. Is there a Shadow IT option currently in use in the organisation that satisfies compliance needs?
  4. Can you integrate Shadow IT (certain apps or services or devices) into your IT assets and install the proper security measures around them?

Throwing light upon shadow IT

Currently, there are six common ways to deal with unapproved devices, software and cloud applications:

  1. Locate the Shadow IT
  2. Find the reason why
  3. Minimise the risk
  4. Policies
  5. Device Management
  6. User Training and user confidence

#1 Locate the Shadow IT

According to a survey by the Frost and Sullivan Institute, sponsored by McAfee; 80% of employees agree that they have incurred in this practice. This means that there is a high probability that this trend may be taking place in your organisation.

Therefore, the best thing to do is to carry out an in-depth analysis that allows you to filter the exchange of information with external elements. From there, it will be easier for you to identify processes involving unauthorized solutions.

#2 Find the reason why

There are several reasons why an employee may be motivated to practice Shadow IT, such as the fact that this phenomenon allows users in the organisation to use the latest applications without waiting for IT to verify or approve them.

Carry out an evaluation to determine the main reasons for the appearance of the Invisible IT. As a result, you will be able to obtain valuable information that will enable CIOs to take more effective measures to meet the user’s needs related to the use of effective tools.

#3 Minimize the risks

Instead of banning the use of Shadow IT applications, seek to implement security solutions to control their use. Invest in tools that allow you to protect your systems in a comprehensive way, by protecting the organisation’s sensitive data both in the internal flow and in interactions in the cloud.

Such solutions should give you full visibility into your assets to help you locate any potential source of threats faster.

#4 Amend your corporate Policies

Firstly, we need to ensure that the corporate policies address Shadow IT, make a recommendation to the staff on how it may be used and address the liability of any breach that occurs due to Shadow IT.

#5 Implement Device Management

All staff should be advised about the use of Shadow IT and be advised that they must notify IT of its existence and usage.

Next, IT must be able to place device management on these devices in case of loss or breach so they can monitor and delete data in the case of a possible breach.

Ensure the patching of devices and software is applied as a mandatory policy.

#6 User Training and user confidence

Training staff and users how to best address their use of Shadow IT, like suggesting that they don’t use the private cloud.

Finally, encourage open communication between users and CIOs; and raise awareness of the benefits of using controlled applications within the enterprise.

Most importantly, do not hold back innovation. Whether employees develop applications or use tools in an unauthorized manner, these practices can be the perfect opportunity to find new ways to solve problems, increase workflow efficiency and improve business competitiveness through new tools. So, look for a strategy that rather than prohibiting certain applications, allows you to support users in the use of innovative solutions.

Do you even need to fight it?

There’s no denying that shadow IT is dangerous and can pose a serious threat to any company. However, that doesn’t mean there are zero benefits to using unsanctioned software in the corporate network.

What are the benefits of shadow IT? First and foremost, the mere fact that unapproved software is running on a company’s systems shows that approved solutions don’t meet the requirements of employees: they’re either inefficient or uncomfortable or both.

Secondly, there’s always a chance of shadow IT turning out to be more productive and cost-effective than already deployed solutions. The main task here is to recognize the solutions that can be more beneficial to the company and find a way to implement them effectively into the current infrastructure.

Conclusion

The use of unmonitored and unmanaged devices, software or cloud applications can pose a serious threat to any company by compromising the security of its network and creating additional performance and compliance issues.

Start to address the issue now before it becomes a problem for the users and the organisation.

 

You may also like
Security Awareness Training is ineffective!
Get the budget you need, not the one you deserve.
Here’s how to defend yourself online
Conscious vs. Unconscious – the determinants of security behaviour