Shadow IT. Just the name itself sounds spooky, like a ghost is haunting your IT infrastructure. And while shadow IT definitely poses a risk to your organization, it's something that can be avoided with a few best practices, as well as building a culture of cybersecurity in your company.
The term "Shadow IT" refers to any type of system, software, devices, or applications used by employees without the approval of the IT department. This practice, which can take different forms, violates almost all compliance initiatives and represents major security risks to the organization.
Now that we have the basic definition, it's time to take a look at:
- How shadow IT relates to cloud-based services
- The reasons behind its existence
- Its risks and the actions to take
Understanding shadow IT
The high adoption of cloud-based services has led to a meteoric increase of shadow IT within companies (in fact, this is often a talking point in the cloud vs. on premise debate). Cloud applications such as Dropbox, Google Docs, Skype, Slack, or even self-developed Excel spreadsheets and macros are some examples of shadow IT. The possibility of these rogue assets should be considered within any Software Asset Management initiative.
But while SaaS can often lead to Shadow IT, this can also encompass other elements as well, such as any personal device (laptops, tablets, smartphones, or USB flash drives). Shadow IT encompasses basically any cloud service, software, and hardware that is used without the knowledge of the IT or security group within the organization.
Why does shadow IT exists?
One of the reasons why users resort to shadow IT is to work more efficiently. They already know the tools and feel they can easily install them and use them to interact more efficiently with other workers, and also people outside the company.
In contrast, getting to know how to use the tools provided by the IT department (if totally new to them) might imply more time and effort; as knowledge takes some time to sink in. Also, they might feel more comfortable using tools they resort to, on a daily basis.
It should also be taken into account that the whole “Bring Your Own Device” (BYOD) concept has also led to the increase of shadow IT. BYOD might seem it provides some savings to the company as it allows employees to use their own smartphones or computers, but it might imply unexpected risks if precautions are not taken.
But, while shadow IT can give the idea that helps employees improve productivity, it introduces serious security risks; and it can even lead to inefficiencies and represent major losses to the organization.
Shadow IT: risks and examples
Let's break down some of the most critical risks of shadow IT, and some examples to put them into context.
1. Expansion of attack surfaces
Any device connected to the network represents an access point which cybercriminals could exploit to launch attacks. Weak credentials could expose sensitive information. Besides, data lies outside security boundaries and risks there can not be handled.
According to Gartner, one-third of successful attacks experienced by enterprises are due to their shadow IT resources. It is therefore important that organizations minimize risk by taking preventive measures, and also by educating their employees.
2. Data loss or leakage
This is related to the previous item and even goes beyond it. With shadow IT, the organization loses control and visibility, which could lead to data leaks, security issues, regulatory noncompliance, and the impossibility to recover information that might be lost in shadow IT systems.
If, for example, an employee keeps contracts, projects, clients information in a Google Drive or other cloud apps, when the employee leaves the company or for any other reason his/her account in the cloud is terminated, the IT department might not be able to retrieve that critical data from the account. Instead, when all cloud security is managed by an IT department, the flow of data can be closely monitored.
3. Increased costs
Any data leakage or cyberattack could imply major money loss for the company. There might also be high costs involved due to lack of compliance.
Let's imagine that an employee stores sensitive information from a client's organization in a shadow IT cloud storage application. If he or she were victim of a cyberattack, it'd result in the exposure of such sensitive data, and the company could have to face expensive legal costs for noncompliance. In addition to that, the business reputation might be damaged.
“There is a high security risk, which can subject the entire organization to a denial of service attack, ransomware, or data leakages, among other things. Shadow IT implies not only a technological risk, but also puts the business itself at risk. That is why it is imperative that there are procedures and controls that prevent, hinder and inhibit the operation and maintenance of shadow IT within the organization, in addition to detecting any existing shadow IT, both in the user network, as well as in the datacenter and public cloud."
-- Martin Hoz, Fortinet Vice President of Engineering for Latin America.
When it comes to using shadow IT, each employee might have to report data regarding tasks performed, productivity and even security issues. This could lead to inconsistencies, as well as problems to track down necessary information that would be easier to obtain if the IT department was in control.
5. Lack of efficiency
Even though employees might think using some shadow IT apps will help them perform better, the outcome might be the exact opposite. If data is scattered in different infrastructure locations, the IT department will take longer to analyze, report and carry out different tasks to enhance security and plan adjustments to cater for necessary system architecture or capacity.
How to manage Shadow IT
The idea is to find a middle ground between the IT department and business unit or user so that they can use some shadow IT while allowing the IT department control user permissions and data for those applications.
All in all, the company should take measures to reduce the need for shadow IT, and only permit the hardware or apps that might come in handy (and prove to be real beneficial assets). Besides, it is necessary to establish policies to manage the accepted shadow IT.
The 5 steps that should be carried out are:
- Discover shadow IT
- Learn the needs of users
- Educate your users
- Assess risks and take actions
- Establish policies about shadow IT
1. Discover shadow IT
The IT department should scan and monitor the network to detect if there is any shadow IT that might be posing a risk. A proactive discovery of shadow IT tools and any network risk associated with them can help mitigate future problems. Taking care of network security is a must.
This is where an IT Asset Management tool such as InvGate Insight comes in handy. Insight provides you with a quick and easy unified view of your entire assets inventory, including all the software installed in your hardware assets. This easy visibility of your asset and configuration management data gives you all the control you need to keep shadow IT under close watch.
2. Learn the needs of users
There should be a fluent and effective communication between the IT department and the business unit or users, in order to understand the needs and requirements of the users and then think of the best technologies at disposal to comply with those needs.
3. Educate your users
Users should receive constant training so that they understand the risks associated with shadow IT in the digital workplace; as well as other threats. Educated users, aware of security risks, will be able to better understand the need to limit its uses and or adopt the best company solutions to solve their needs.
4. Assess risks and take actions
It is important to notice that not all shadow IT technologies imply the same degree of threat. Organizations should assess technologies on a continuous basis to mitigate activities that might imply major risks.
5. Establish policies about shadow it
Shadow IT discovery is the first step. The IT department should find out the Shadow IT applications, hardware, and tools in general being used by the company members, then list them and evaluate shadow IT risks associated. Then, the IT department should decide which of the Shadow IT resources will be authorized and which will be prohibited.
Once this is done, the CIO should lay out clear policies as to how to use those authorized shadow IT resources. If the authorized Shadow IT supports the security, availability, and compliance policies of the company, it could become part of a solution.
That is why it is important to first figure out what will be accepted and what not, and then clearly state a policy around those resources. SaaS Management in this sense is crucial as it implies proactively monitoring and managing the purchasing, licensing, renewals, and off-boarding of all the software-as-a-service (SaaS) applications within the company.
Frequently Asked Questions
What is shadow IT?
It refers to all sorts of hardware and software used without the involvement of the IT department. This includes any personal device such as computers, laptops, tablets, smartphones or even servers. It also refers to cloud services, including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS).
What is the most common form of shadow IT?
Cloud services, especially SaaS, are the most common form of shadow IT. The offers of cloud services and cloud applications have increased and many employees use them without the knowledge of the IT group.
The most popular ones are cloud based applications that are accessed with an OAuth token such as Google Drive, Docs or other elements within Google workspace or within Microsoft Office 365, such as Microsoft Teams.