Despite the fact that it’s a long-standing issue, shadow IT remains one of the most overlooked cyber threats.
Yet the rise in remote working means that it’s likely to remain a significant challenge for the long-term. In this blog post, we explain what shadow IT is, the associated risks and the steps organisations should take to mitigate them.
What is shadow IT?
Gartner describes shadow IT as “IT devices, software and services outside the ownership or control of IT organizations”. The term covers the use of devices, tools, systems, apps, software and other tech without the approval and management of the IT department, not only by employees but also by individual teams or departments.
Shadow IT examples
Examples of shadow IT include conducting work, storing or sharing company data through the use of:
- A personal drive
- A personal email address or messenger
- Unauthorised software
- An undeclared server
- Unauthorised file sharing
The ongoing challenge of shadow IT
The continuing democratisation of technology has contributed significantly to the rise of shadow IT, whether that is through the use of personal devices for checking email, the use of home computers for work purposes or the proliferation of easily downloadable software and apps.
The shadow IT issue is so pervasive that Andrew Beckett, EMEA Cyber Risk practice leader for Kroll, identified it as a major issue in a recent video:
Studies by Gartner have identified that between 30 and 40% of IT spending in large enterprises goes on shadow IT, while Everest Group puts this figure closer to 50%.
New research has highlighted the impact of the global pandemic on remote workers’ security practices and views. More than half of those who responded to the survey stated that they access customers’ data using personal devices, while more than four out of ten think that security practices are an obstacle to their productivity. In addition, 27% said they deliberately ignore or work around company cybersecurity policies, while 36% put off applying device updates.
Other research shows that, on average, just 45% of company apps are currently being used on a regular basis. It also shows that 56% of all apps are owned and managed outside of IT.
The State of Incident Response 2021 revealed that the reduction in endpoint visibility created by employees working from home is a pressing concern for 54% of security leaders.
There is little doubt that, despite increasing awareness of these issues, shadow IT continues to pose a serious challenge to many organisations.
The risks of shadow IT
The popularity of shadow IT is partly due to its perceived benefits. These include the ability to take initiative in setting up and using technology and the freedom to adopt systems and software more quickly in order to reduce workload. However, these apparent benefits come at a significant cost, with potential issues including:
Increased risk of data breaches
Employees using shadow IT often store data in unknown locations which can lead to compliance violations and data breaches. IT teams are also unable to run updates for unpatched or out-of-date software, leaving critical data exposed. Some patches (such as CVE-2020-1472) may even increase the risk of breaches for organisations without the visibility to appropriately plan for them.
Lack of control
The adoption of shadow IT also reduces control over the software being deployed on a network. The company IT team is then unable to manage access to that data, leaving sensitive information unprotected and vulnerable to compromise by former employees, malicious insiders or external attackers.
Compliance issues
Because risk assessments and preventative measures aren’t usually undertaken on apps used within shadow IT, users can fail to meet compliance guidelines, creating the risk of fines.
Increased IT costs
The inability to view or control systems means that enterprises are seeing their IT costs increase significantly. Further financial challenges are also created due to the fact that budgets are already stretched for most IT teams. Duplicated, inefficient or redundant functionality is yet another drain on resources.
Greater vulnerability to litigation
Pre-pandemic, it was usually relatively easy to search company email systems and files for material that legal counsel would need in response to litigation. The use of shadow IT by teams who often have never previously worked remotely has led to organisations having less ability to preserve evidence ahead of litigation.
What businesses can do to mitigate shadow IT risks
Organisations are under pressure to balance security with the need to stay versatile and manage costs. But how do they reduce the risks?
Improve visibility
A key first step is for the IT team to identify all the systems that are currently being used across the organisation. For SaaS, this would involve undertaking software surveys, finance and budget audits, while for cloud infrastructure and services, some solutions provide automated asset discovery methods.
Communicate with employees
Encourage openness about the apps that employees are using. Act on this insight and lower the risks by segmenting user access or ringfencing sensitive data.
Adopt software-defined governance
Put shadow IT policies in place and share best practices throughout the organisation. Look at adopting software-defined policies shaped around each user’s role, the environment, the team and the purpose of the application. It may also be worth considering leaving the development of certain policies to individual departments or teams, who may have greater knowledge of the nature of the regulations for the technology they are using.
How Redscan can help
There is no one single answer to resolving the risks created by shadow IT, especially in light of the continued shift to remote working. Organisations need to take a strategic and multi-layered approach in order to avoid the many potential pitfalls. This can be supported by working with a cyber security partner.
A remote working security assessment from Redscan will help you to better understand the security of networks, systems, tools and applications used to support your remote workforce and ensure these are appropriately hardened.
Our CREST-certified experts are highly experienced at identifying and helping to address a wide range of security vulnerabilities and can help to ensure that data and assets are protected to the latest information security and compliance standards.
Learn more about our security assessment services