Understanding Shadow IT to Anticipate the Risks
Shadow IT is the term used to describe all IT projects, software, applications and services that are managed outside of and without the control of an organisation’s IT department. Originally, this parallel computing was limited to Excel macros and the purchase of software not approved by the IT department. But shadow IT has grown exponentially in recent years. The consultancy firm CEB estimates that 40% of all IT expenditure in a company is made without the knowledge of the IT department and the security manager. This rapid growth is due in part to the quality and availability of cloud applications and software as a service (SaaS). However, while Shadow IT can help organisations to be more competitive, it is not without its dangers. Find out what Shadow IT actually is and how to limit the risks.
What is Shadow IT?
Shadow IT within companies
Shadow IT refers to the use of IT technologies, solutions, services, projects and infrastructures by employees of a company that have not been approved by internal IT departments.
These IT technologies therefore usually do not meet the compliance, security and reliability requirements of organisations. They may also not comply with the service level agreements in place in the company.
The major problem is that these applications, services, etc., bypass the necessary management, integration and compliance actions. IT security managers lack visibility into the extent and nature of the software being used and are less able to detect the threats and vulnerabilities that may be associated with it. In the end, an entire parallel IT system is developing within organisations.
The most common examples of shadow IT
These “shadow” IT systems can include a wide variety of technologies such as:
● SaaS, IaaS, PaaS and other cloud services (online hosting and document sharing, etc.);
● equipment such as computers, smartphones, tablets and various devices that are connected to the corporate network;
● “physical” software purchased commercially;
● social networks;
● personal messaging;
● search engines and web browsers not authorised by the company.
The most widespread source of shadow IT remains SaaS offerings. These are widely used by individuals and companies. And their use has increased further with the rise of teleworking. To save time or communicate more easily, company employees can subscribe to and use online storage, information sharing or communication services in just a few clicks without going through the IT department.
The second most common source of shadow IT products is physical equipment. Likewise, the rise of teleworking has made shadow IT more prevalent. Even if remote PCs and laptops are configured and locked down and proxies and vpn are used, it is still common to find unauthorised free and commercial software installed on users’ devices.
Of course, not all of these shadow software and services are necessarily problematic, but they remain a potential threat to the computer system. A study by the consultancy firm Gartner estimates that one third of all security breaches are related to shadow IT.
The dangers of shadow IT
Unauthorised access to data
One of the major responsibilities of an IT department is to ensure that only authorised users can access IT systems and resources. Many access control technologies and audits are therefore implemented within organisations. However, the use of third-party tools not known to the IT department increases the risk of unauthorised access to production systems, which means potential data loss and theft.
It is therefore necessary for IT and security managers to regularly take stock of who is using what in the company. One solution is to monitor the network using security scanning tools and sniffers. However, the easiest way is to ask employees to list all the applications and services they use to work. This information can be used to update the architecture and organisation of the IT system, but also to offer shadow IT users alternatives that are approved by the IT department.
Shadow IT can pose many compliance problems with certain IT standards such as ITIL or COBIT. These IT management best practices require that an organisation’s IT processes are clearly defined.
But above all, this practice is far from being RGPD compliant. As a matter of fact, it is impossible for an organisation to ensure compliance with the European regulation if it does not know precisely which software and services are used by the teams and what is the nature of the data that passes through it.
If an organisation’s employees rely on different applications from one department to another, collaboration becomes a chore. For example, if one team uses Google Drive for file sharing while another uses DropBox, documents will have to be downloaded, edited and uploaded multiple times, wasting time and potentially compromising information.
According to a McAfee study, the average organisation uses around 57 different file sharing services! Hence why a clear IT system inventory and employee awareness of the organisation’s approved applications can improve both security and team productivity.
Once you understand what shadow IT really is and the risks associated with it, the solutions for managing it seem rather obvious. These include putting in place strategies and tools to detect and monitor new applications; but above all, they rely on awareness and better communication between the IT department and the company’s employees.
By understanding shadow IT, IT and cybersecurity managers can
visualise the needs and expectations of IT users and transform this shadow IT into a set of tools to drive productivity and collaboration.
Have you experienced shadow IT issues in the companies you have worked for? Please feel free to share your experience in the IT forum.
Sources and useful links:
McAfee study on Shadow IT: https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-shadow-it.html
Gartner’s forecast on Shadow IT:https://www.gartner.com/smarterwithgartner/dont-let-shadow-it-put-your-business-at-risk