Shadow IT includes any unsanctioned apps or hardware used by employees that fall outside of those managed by the IT department (sanctioned apps). Shadow IT is often used as a workaround to functionality or usability gaps created by an organization’s known IT resources.
Large organizations have multiple departments with widely differing information technology (IT) needs. A centralized department manages these IT systems, and understanding and fulfilling each department’s requirements can prove challenging. If a department or employee’s requirements are not met by existing software or devices, they may opt for alternative solutions without the IT team’s knowledge.
Staff pursue a Shadow IT alternative when IT technology offers a poor experience.
Employees usually use Shadow IT for legitimate reasons, such as improving productivity and efficiency. It also introduces serious security risks, such as compromised data security. This article explains how to mitigate and manage the cybersecurity risks of shadow IT.
Types of Shadow IT
There are three main examples of shadow IT, including:
- Hardware -- Such as servers, desktop computers, laptops, tablets, smartphones, and other personal devices operating outside of IT infrastructure. The COVID-19 pandemic saw hardware shadow IT increase with the introduction of bring-your-own-device (BYOD) and work from home (WFH) policies.
- Off-the-shelf (packaged) software -- Such as Microsoft Office. The rising popularity of SaaS apps has seen a decline in off-the-shelf shadow IT.
- Cloud services – Including software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS). SaaS applications, such as Dropbox, Skype, and Google Drive, are currently the most popular type of Shadow IT.
Benefits of Shadow IT
Shadow IT offers the following benefits to users:
- Increased productivity: Employees can complete their required tasks more effectively with direct access to relevant software. For example, shadow IT applications such as file sharing and messaging apps can enable faster employee collaboration.
- Better suitability: Host departments are the most equipped to determine which software best suits their specific needs.
- Faster implementation: Getting IT approval for new technology is time-consuming and can create performance inefficiencies as they wait.
Shadow IT Security Risks
While shadow IT undoubtedly improves end user experience and task efficiency, it also creates serious security gaps for an organization. Gartner research found that by 2020, shadow IT resources would account for a third of successful attacks on enterprises.
Below are four common security risks that shadow IT introduces:
1. Lack of Visibility
Gaining visibility of the attack surface is achievable through automation. Organizations can monitor and manage all known assets and their vulnerabilities by implementing an attack surface management solution. Shadow IT is harder to detect and more likely to remain undiscovered. This lack of visibility means organizations often will not know sanctioned apps are in use until a serious security incident like a data breach occurs.
2. Third-Party Risk
The increasing popularity of outsourcing essential operations broadens organizations’ attack surfaces by introducing third-party and fourth-party risk. Supply chain attacks are rampant in today’s threat landscape. Cybercriminals realize the advantage of exploiting vendors’ poor network security to reach target organizations’ sensitive data.
Shadow IT introduces third-party risk, which is already complex enough to manage on its own. Paired with a lack of visibility over the security practices of unsanctioned IT, such as SaaS service providers, the chances of a data breach are much higher.
3. Compliance Issues
The importance of effectively securing data is mandated in many laws, such as GDPR, CCPA, PCI DSS, SOX and the SHIELD Act. Security teams can only enforce compliance towards the internal and third-party risks they can see. Shadow IT falls outside of the IT department’s visibility and could render an organization non-compliant, resulting in steep fines and possible data leaks and data breaches.
Consider this example of shadow IT use resulting in non-compliance:
- An employee uses an unsanctioned filesharing app to share spreadsheets containing customers’ personally identifiable information (PII) to a coworker.
- The employee has unknowingly set the file access permissions on the app to ‘public’. The spreadsheet is readily available for anyone with Internet access.
- The employer is unaware the data leak has occurred, and the data remains unsecured.
- A cybercriminal discovers the compromised data, downloads the spreadsheet file, and posts it for sale on a dark web marketplace.
- The employee’s organization is now facing harsh regulatory penalties and reputational damage for failing to secure their customers’ data.
4. Data Loss
Shadow IT can create a siloed approach to data access. For example:
- A particular department opts for an unsanctioned data storage app, while the rest of the organization uses a sanctioned data storage app.
- The account ‘owner’ leaves the company, meaning the rest of the team can no longer access the app.
- No back-ups were available on the organization’s sanctioned data storage app.
- The data is now inaccessible and effectively lost information for the department and organization.
5 Ways to Manage Shadow IT Risks in 2022
Below are five strategies IT and security teams can adopt to manage and mitigate the risks associated with shadow IT usage.
1. Communicate With All Departments
Understanding the needs of all end users at your organization is the first step to ensuring proposed security requirements align with each department’s IT needs. Encourage regular communication with department managers to ensure there is an open dialogue for any new technological requirements as they arise.
2. Educate Employees
Educating employees on the risks shadow IT introduces to your organization is important. Awareness of the risks and processes to follow if a new app/device is needed can help drive better cooperation with information security policies. Regular security training sessions will keep these requirements front of mind.
3. Use Shadow IT Discovery Software
A complete attack surface management solution, such as UpGuard BreachSight, can scope your organization’s entire attack surface, including the use of unauthorized SaaS apps. BreachSight provides instant alerting of recognized risks through continuous attack surface monitoring, allowing security teams to remediate these cyber threats before they escalate to security incidents.
4. Implement an IT Governance Framework
A practical IT governance framework should outline your organization’s policy on shadow IT, including a definition of the acceptable use of unsanctioned apps and devices. Aim for a realistic approach that considers flexible working arrangements and the changing needs of each department to improve adoption rates.
5. Assess Each Risk Individually
The severity of risk shadow IT usage creates depends on several factors. Applying the same mitigation treatment to each instance of shadow IT is an inefficient strategy. IT and security teams should instead assess each usage case individually to understand the actual risk posed to the organization. By the same merit, this information can also help prioritize the restriction of unsanctioned apps/devices that are high-risk.