What is Shadow IT?

CSO: Have you met these hackers? [slide 01]
Robertiez / Getty Images

Shadow IT is the use of IT software or hardware by a department or an individual outside of – or even without the knowledge of – the IT department.

A decade ago, Shadow IT was quite limited in scope. Employees would use unapproved macros in finance spreadsheets, or might bring their own insecure devices to work. Today, it is a huge problem. Employees are embracing cloud storage – in particular – at a faster rate than enterprises can move cybersecurity operations to the cloud. And while Shadow IT can make employees and companies more efficient, it can also make them a lot less secure.

In this context, it is no surprise that the management of Shadow IT is seen in its own dedicated stream in many cybersecurity conferences. Many cybersecurity analysts expect it to become the number one source of cyber risk in the coming decade.

In this article, we'll look at why Shadow IT is more prevalent than ever before, the security risks it poses, and how to successfully manage it.

The Rise of Shadow IT

There is one major reason why employees use systems, devices, and services that are not approved by their IT department: to make their work more efficient

Cybersecurity compliance processes are slow by their very nature; this means that employees often find ‘better’, ‘faster’, or ‘more usable’ systems before their IT Department has had a chance to vet them for security risks. 

A good example of this are file-sharing applications. Employees often discover a better file-sharing application than the one officially permitted. Once they begin using it, they can open themselves up to cyberattacks, or worse, spread malware to other members of their department. 

Two further factor in the rise of Shadow IT has been a parallel rise in the popularity of Software as a Service (SaaS) providers, which allows employees to easily install new software, and  Bring Your Own Device (BYOD) policies. These have arguably been the biggest driver in the rise of Shadow IT over the past decade, but few companies stop to think about the security risks such policies can introduce. 

The Problem With Shadow IT

The problem with Shadow IT should be clear: if the IT Department is unaware that an employee is using an unapproved device, system, or service, then they are unable to protect them against it. 

Shadow IT makes cyber threat intelligence essentially impossible, because it requires cybersecurity teams to fight a huge variety of threats on the off-chance that someone in their organization is using a particular piece of software.

Because of this, industry analyst firm Gartner has predicted that by 2020, one-third of successful attacks experienced by enterprises will be on their Shadow IT resources. That’s partly because understaffed IT departments don’t have the resources to fight the vastly expanded attack surface that Shadow IT causes. It’s also because even well-trained staff are not able to spot exotic threats such as encrypted malware and cloud-based IP redirects.

Finally, a more unusual problem that Shadow IT presents is the risk of false flag attacks. If a company has many employees, all using their own favorite software, it becomes much easier for hackers to compromise individual systems, and use them to attack corporate networks under the names of individual employees. 

All of these factors indicate that careful management of Shadow IT is necessary. But how can that be done?

Managing Shadow IT

There should be three elements in any Shadow IT management program. 

The first is that all organizations should have a clear policy on which devices, systems, and software employees can use. This should be as clear as possible, but also contain an explanation as to why the policy is in place. This makes it much easier to explain to employees the necessity of checking with the IT Department before they start using unapproved systems. 

Unfortunately, this is not currently the case across many organizations: the same RSA study mentioned above also reports that 63% of employees send work documents to their personal email to work from home, exposing data to networks that can’t be monitored by IT. 

A second element in managing Shadow IT is to lock down access to systems that employees don’t need to do their job. This is especially true for systems that are used across an entire organization. 

In a typical organization, many teams will be charged with editing a portion of the company website, and this often leads to dozens of people being granted access to your web hosting provider’s backend database. Though roughly 60% of the top web hosts today use legacy MySQL databases - which have a reputation as being ultra-secure - the remainder use newer database management systems like NoSQL and PostreSQL. Whilst your database admins might feel this makes them more efficient, in reality these newer platforms are often more vulnerable, and can open employees up to malware on their own machines which then infect your entire network.

Finally, the third element is to just get the basics right. You should provide employees with integrated systems that make their jobs easier, such as dedicated communication and payments software. You should also ensure that these systems are secure in themselves. There are many ways that you can lock down your core systems, either by making Windows networks harder to attack, or simply by encrypting internal communications via the use of VPNs. Both of these approaches add another layer of security “on top” of that provided by the work of the IT Department, and can contain the risks of shadow IT.

A Final Word

Don’t come away from this article with the impression that Shadow IT is always bad. It’s not. Employees often know better than IT departments about what kind of system, device, and/or software they need to do their job. For many employees, IT approval is a bottleneck to productivity, especially when they can get their own solution up and running in mere minutes.

For this reason, another critical strand in the management of Shadow IT is to facilitate good communication between employees and IT staff. If an employee wants to use a mainstream, well-secured file-sharing system, for instance, they should feel that they can approach the IT team for permission to do that. 

In short, seeing your IT department as an Orwellian “Big Brother” isn’t always conducive to productivity. Instead, make the distinction between good and bad Shadow IT, and empower your employees to seek help if they need it.

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?