With cyber threats on the rise, and the recent implementation of remote work across businesses and organizations, in-house IT teams are struggling to preserve their security posture. Furthermore, an increasing number of employees are using applications, hardware, software, and web services that their IT departments are not aware of. A Forbes Insights survey found that more than 1 in 5 organizations have experienced a security incident due to shadow IT resources.
Amidst the COVID-19 crisis, with entire workforces confined to their homes, the use of personal networks and devices is growing rapidly. This allows employees to install or work with external applications and infrastructure that complements their skills and/ or requirements. While this may improve employee productivity, it exposes employees and their organizations to a wide range of cyber threats.
What is Shadow IT?
Shadow IT refers to the use of diverse Information Technology (IT) systems, devices, software, applications, and services, without the authorization of IT departments. Although shadow IT enhances efficiency, it also subjects users and their organizations to heightened risks of data breaches, noncompliance issues, unforeseen costs, etc.
Microsoft 365, work management apps such as Slack, Asana, Jira, etc., messaging apps like Whatsapp, cloud storage, sharing, and synchronisation apps such as OneDrive and DropBox are the most common examples of shadow IT. Obviously, these applications are not inherently threatening, and are usually installed with the best intentions, but they tend to endanger the overall security of the organization, in the event of misuse or negligence.
What are the different forms of shadow IT and which is the most popular one?
Users employ various forms of shadow IT applications and services. Broadly, they can be classified as:
- Hardware: Personal devices, systems, servers and other assets.
- Ready-to-use software: Adobe Photoshop, MS Office, etc.
- Cloud services: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) services.
While users subscribe to various IT services that are not administered by their IT departments, the most common form of shadow IT are SaaS-based cloud services. SaaS based applications are gaining popularity across workforces, regardless of the industry or sector. This is because, such publicly available applications, often outperform on-premise applications and infrastructure.
Why do employees prefer shadow IT?
A research by the Everest Group found that shadow IT accounted for 50% or more of the IT spending in large organizations. So, dismantling shadow IT means, organizations have to devote more funds to build and maintain approved applications and infrastructure. However, employees prefer external applications even with the availability of in-house applications, simply because they are comparatively sophisticated.
Here are some common reasons for employees opting for shadow IT solutions:
-
Efficiency and agility
This is probably the most common reason behind the increasing use of shadow IT. Users employ external IT resources to produce better results. Also, because it makes work pretty easy. Latest research by Entrust Datacard reported that 77% of the surveyed IT employees believed that organizations could be frontrunners if they were successful in meeting the shadow IT needs of their employees.
-
Inadequate coordination
Poor communication and coordination between various teams and the IT department is not conducive for productivity. Therefore, it could cause employees to choose shadow IT over onsite software and applications.
-
Inconsistency
If customers’ programs cannot be integrated with the organization’s systems/ software, employees may resort to using external services for better results.
-
Readily available tools
Clearance from the IT department could be time-consuming. So, when the necessary software, service, or hardware is readily available, and is compatible on any device, naturally employees would choose to use them.
What are the potential risks associated with shadow IT?
Security
On the subject of employees using shadow IT, security is definitely the principal concern. As IT departments are not aware of certain applications that employees use, it would be impossible for them to provide security updates and patches, or test the newly adopted applications. Unpatched vulnerabilities can cost organizations a fortune, such as in the case of Maersk in 2017, when hackers exploited their computers because it lacked the latest Microsoft security patches. This incident cost Maersk over $200 million in lost revenue.
Data breaches, leaks
Shadow IT applications that support file sharing, storage, and collaboration are prevalent among employees of every organization. As effective as they are, they can cause data breaches and leaks. Since IT departments are not familiar with these additional software deployed on its network, they eventually lose control over the organization’s data. In 2018, Gartner predicted that in 2020, one-third of successful attacks that target organizations will be through their data located in shadow IT resources and shadow IoTs.
Non-compliance and violation of regulations
If and when organizations fail to conduct risk assessments and take preventive measures with regard to unauthorized applications, it could burden them with severe sanctions for non-compliance. These actions also risk violating regulations such as HIPAA, GDPR, etc. On becoming aware of such shadow IT applications that are in use within the organization, they are forced to conduct a separate security audit which results in unforeseen costs.
What can organizations do to avoid these risks?
-
Regular monitoring of networks and vulnerability scanning
Monitor your organization’s network continuously for any shadow IT applications. And scan such applications along with other in-house assets for vulnerabilities that could expose your organization to cyberthreats. Ensure to install the latest updates.
-
SaaS Management
The IT department could set up a system of SaaS Management or simply Software Asset Management, to keep track of all the applications used within the organization.
-
Internal monitoring tools
We would also encourage organizations to leverage digital risk monitoring tools such as CloudSEK’s XVigil. XVigil helps to detect data leaks, pertinent to the organization, caused by shadow IT, early on. Giving you sufficient time to address these issues, before it affects your security posture.
-
Train employees
Security/ IT teams should create awareness among employees. This could also give you an idea of the various shadow IT devices, or applications that your employees use. While security/ IT teams are on it, they may also want to educate employees on the different types of data that they deal with and the responsibilities that come along with it.
-
Address employees’ technology needs
Organizations should address employees’ technology requirements, to eliminate the need for external applications. Employees often cite long approval processes and delays in acquiring sanctioned applications, as reasons for adopting external solutions to meet their immediate needs.
-
Prepare a list of usable applications or devices
Keeping in mind that not all applications or devices pose a threat, organizations could prepare a list of approved applications/ devices and encourage employees to use them.
Such low-hanging vulnerabilities are not very rare. Developers often leave hard-coded backdoor passwords exposed. These are a couple of instances that prove the same:
