Originally published on 27 Feb 2020
Updated on 01 Nov 2021
Is Shadow IT Creating Security Risks for Your Business?
What is shadow IT?
Shadow IT is a growing problem. According to research conducted by Cisco, 90% of business security systems worldwide are being bypassed by shadow IT systems which end up being embedded into organisational operations, unbeknown to your IT department.
In this blog, our technology experts discuss the threat of shadow IT, what risks arise because of it and what — if anything — IT departments can do to manage shadow IT.
What Is Shadow IT?
It sounds a little ominous, doesn’t it?
In truth, there is an element of danger to the existence of shadow IT, but it’s probably a little more pedestrian than the name implies.
Shadow IT is hardware or software used by staff without your IT department knowing about it. This technology is predominantly cloud-based or smart tech. The big issue here is that there is no testing or approval given by IT or compliance. There are no checks run to determine if these IT resources pose any security risks. Your employees simply download them to your systems or connect them to your network autonomously.
Shadow IT has been described as an “invisible” risk lurking in every organisation, with Gartner predicting it will be the result of one in three security breaches.
Shadow IT Risk: Why Is Shadow IT Bad?
Shadow IT introduces software and hardware that your IT teams are unaware of. All these applications and bits of technology are running in the background without any kind of monitoring.
Each and every one of these applications can cause a significant risk to an organisation.
By connecting to your networks and accidentally disclosing sensitive data or allowing hackers to gain access to your systems through unprotected “security backdoors” or bypassing access control systems, security technologies and more. Many of these applications also have software clients that are not updated regularly after installation, which represents a potential risk from malware.
Your IT security policies exist for a reason, so when technology is installed onto your employees’ devices and used without authorisation, these shadow IT resources can result in vulnerabilities being introduced to your data security.
Your IT department needs to know about every potential cyber security concern, and shadow IT prevents that from happening.
“Only 7% of lost organisational data is actively hacked because an enormous 81% of data is stolen or carelessly disclosed.”
Cisco’s research revealed that chief information officers (CIOs) could be underestimating how many shadow applications are running in their business by a factor of 14. To quantify that in real numbers, that’s a CIO being aware of 51 cloud services running when in reality it’s closer to 730.
Shadow IT then, is a major problem for two reasons:
- It creates risk for your company.
- It’s hugely prevalent and out of control.
Shadow IT Examples
What does shadow IT look like for your business?
- Everyday examples of shadow IT include routine-based activity across an organisation:
- Sharing files internally and externally to suppliers and customers via file sharing apps and collaboration tools (common culprits include OneDrive, Dropbox or Google Drive).
- Using personal accounts (e.g. Skype) for conference calls or social media for messaging.
- Employees using online software and tools from a previous job to complete their work, such as video editing, document signing and so on.
The sales and marketing team using cloud services (SaaS applications) as CRM solutions for campaign activity instead of internal systems.
When Did Shadow IT First Become a Problem & Why Is It Such a Big Issue?
We live in an era of heightened technology awareness. Your employees don’t want to use your slow and outdated IT solutions when they know they’ve got access to a better bit of technology somewhere online that is just a button click away.
With the rise of easy-to-download cloud-based applications, employees have gained access to a myriad of applications within the workplace that they know can make their jobs easier. Why use the software the IT team has installed on their computer when they can jump online and grab something they know how to use and that they believe to be a superior product, usually for free?
Before now, employees would have to wait patiently for IT to approve hardware and software after testing for potential risks. This caused considerable slowdowns and employee frustration. With instant access to untested (or poorly configured) cloud-based applications, this bottleneck has been long forgotten. Instead, your workers just download what they want and use it.
Be aware at this time that employee intent is rarely malicious. These are attempts to make their life easier as users, not yours harder as a company manager.
Corporate Attitudes: There’s More to the Shadow IT Problem
A misaligned board only fuels the overall negative impact shadow IT has on an organisation.
If IT doesn’t have “a seat at the boardroom table”, then the risk isn’t being taken seriously, and IT strategy is seen as an afterthought. This can lead to clunky, over-engineered IT infrastructures and systems that become difficult to change and upgrade when necessary.
As a result, workers get fed up with poor system design and simply build their own.
Failure to take IT seriously means rates of shadow IT increase — voices are not heard and employees take matters into their own hands. Your IT department then has to deal with the problems that arise from shadow IT as well as all the other information security risks they face.
This ever-increasing strain on IT can only lead to incidents of data loss, security breaches and infrastructure failures. These events can no longer be confined to one area of the business. Instead, they now have a serious impact on the wider organisation in terms of reputational damage, escalating costs and operational downtime.
Shadow IT isn’t the only problem businesses face. For more information on the other challenges CIOs and IT typically face, from data leaks to cyber attack risks, be sure to read our guidance on information security, cyber solutions and data compliance.
Shadow IT Policy and Approach: How Can You Get Rid of Shadow IT?
It can be a daunting prospect to try to manage the so-called “invisible” problem of shadow IT, but there are steps you can take to mitigate the risk for your business and IT departments. By implementing the following strategies, you can start to develop solutions that take back control:
Understand the Problem and Identify Shadow IT Users
Knowledge is power. Monitor who is doing what within your company and remove the ability for individuals to download anything without following the appropriate business procedures. Put in place appropriate web interface filtering to prevent access to cloud services that could be used to step outside of normal practice.
Discover and Combat Shadow IT Risk
How well does your IT platform cater to the current (and potentially future) needs of the business? The two main drives of shadow IT are “need” and “ability”. Understanding the requirements of the business (need) will allow the IT team to provide the appropriate solutions (ability) that negate shadow IT risk. You can also put in place controls to look out for potential shadow IT risk on your system.
Lock-down Any Immediate Risk
If cloud apps break company policy, then they must be blocked and further action needs to be taken where deemed necessary to manage said cloud app. Security and acceptable use policies are a must, so employees are aware of the risks and consequences associated with their actions.
Make Employees Aware of Shadow IT
Sufficient notice should be given to users of unapproved shadow IT applications. Allow employees to justify their use and if the risk outweighs the benefit, then shut down unapproved applications after sufficient warning is given. There can be a place for the software or hardware if it proves to have important benefits of use. Should the decision be taken to continue with a cloud application, ensure that someone at the appropriate level accepts the risk in doing so and that the cloud application is appropriately vetted by the security and compliance team prior to continuing to use the service.
Shadow IT Policies and Training
You can’t expect all employees to be aware of the risk of shadow IT cloud services or hardware. Setting out clear technology policies for all departments and providing context in the form of training can help minimise the risk of shadow IT. It will also provide a greater understanding that using an unapproved cloud service — be it for collaboration projects or otherwise — will have consequences.
Continual Network Monitoring
It’s important to continually monitor the state of your network, in particular any abnormal traffic or unknown applications. Employees can also forget about the dangers of shadow IT, so reminders could be a simple way to mitigate risk.
Shadow IT Solutions: Establishing Shadow IT Security Process for Your IT Department
Network Monitoring Security Measures
At Optimising IT, we help our customers proactively monitor their networks. Armed with industry-leading tools, we’re able to examine and alert organisations to suspicious traffic and locate devices and applications that need locking down.
A Co-Sourced Approach to Shadow IT Management
We can take the strain from internal IT teams with our co-sourced service, enabling your IT teams to focus on driving business-critical projects and reaping their benefits. We take on some of your IT workload, freeing up your team to deal with shadow IT.
Cyber Security Training to Address Security Gaps
Training plays an important part in maintaining control over the threat of shadow IT. We offer training suited to both employees and business leaders, helping you to align your cyber security and shadow IT mitigation goals with everyone across your company.
Contact our expert team to discuss your individual requirements by calling 0330 403 0011 or by filling out our contact form. Take control of your shadow IT, get rid of dangerous and unauthorised cloud services and be safe in the knowledge that you are doing all you can to protect your business and facilitate future growth.