The sinister world of shadow IT

Much like an episode of Stranger Things, IT has a dark side.

Much like an episode of Stranger Things, IT has a dark side. Whilst IT admins aren’t combatting menacing and deadly creatures from “the upside down”, the sinister world of shadow IT has them drawn into parallel networks where threats may be lurking. 

Welcome to the world of shadow IT.

For network managers, the thought of unknown or even partly unknown IT infrastructures on a network will send a shiver down the spine. Despite this, shadow IT practices are prolific, with Gartner predicting sleuth sales to account for 30 to 40 per cent of IT spend in large organisations. For in shadow IT networks, complex infrastructures can develop from everyday practice, without the approval or knowledge of the IT department.

Independent shadow infrastructures often arise from poor management or planning. If a department is not offered adequate solutions for their work, or aren’t educated in the importance of a centralised enterprise network, solutions are created without sufficient consultation with the IT department. Much like the creatures in Stranger Things, shadow IT networks can unleash a plethora of risks for networks and unwitting IT departments with studies suggesting that by 2020, a third of successful cyberattacks experienced by enterprises will be via such resources. Unfortunately, the risks extend far beyond the basics.

1. Exposed vulnerabilities

With more app, comes more gaps. Infrastructure that has been set up without the knowledge of the IT department often lacks the required level of security to thwart cyberattacks. What’s more, shadow IT systems and applications run outside of the IT department’s backup and restore plan. This can mean that mission critical business functions may be taking place without a back-up solution at all. In the event of an incident, such as a cyberattack that leads to data loss, crucial company data may disappear entirely without any chance of recovery.

2. Unsecured data

Even if we ignore the issue of operating without sufficient back up, a shadow IT network may give no overview of potential data access. This means that external service providers, contractors and even former employees may have access to sensitive data. With no permissions overview, there is no way of predicting who can access data and what could be done with it.

3. Inefficient operations

Shadow IT hardware and software is often installed without the requisite testing. Although these systems may directly benefit the individual activities of the installer, this is often a reason for the creation of Shadow IT in the first place - the untested system may slow or even stop other business critical systems on the network. Even in shadow IT networks that run smoothly, double maintenance and administration is required to ensure the system continues to run smoothly in parallel with the official enterprise network.

4. Compliance

To state the obvious, the creation of shadow IT processes outside of established IT department protocol will likely violate a company’s IT compliance rules. More seriously however, introduction of shadow IT systems for specialist departments may be a fundamental breach of external regulation such as data protection law. In these instances, breaches of external regulation can lead to large fines from regulators and even company collapse.

Without an Eleven to turn to, network managers must look internally to solve the issue of shadow IT practices. Thankfully even widespread shadow IT issues can be controlled if the right strategies are put into place by the IT department and senior management. The first step to removing shadow IT systems is being able to locate them. Network visibility is the number one factor leading to the detection and removal of shadow networks. Even well-hidden parallel infrastructure may be detected for example via unusual data traffic readings through a router or switch.

In the end it is up to management to put into place solutions that prevent the creation of parallel networks in the first place. However, with the right tools and enough visibility, IT departments can be well equipped to combat the threat of shadow IT.

Related:

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies