Businesses may have a fair understanding of «IT». That’s the sanctioned technology and infrastructure that your organization uses to run its operations — from email and internet access, to computer systems and software. But what about all the other technology used by employees outside the organization’s IT jurisdiction? As you are about to discover, this unofficial or «shadow» IT is actually rampant in organizations. It can be genuinely helpful for your staff at times but also very risky, and that’s why you need to understand it inside out.
This post explores what shadow IT is and the security risks it poses to organizations. We’ll also suggest ways to prevent or mitigate those risks.
What Is Shadow IT?
Shadow IT is the term given to the use of unauthorized and unapproved software, devices, or services within an organization. Employees may often resort to using shadow IT tools in order to get their job done more efficiently or because they are not satisfied with the approved options. This unofficial IT can include anything from personal cell phones and home computers, to software and cloud-based applications.
So you might be wondering why this is a big deal. After all, if it works and the employees are productive, what's the harm? Well, the problem with Shadow IT is that while it can provide benefits for companies, it can also introduce a lot of security risk that must be managed. These unauthorized tools may not be secure and may not be compliant with organizational policies. Additionally, shadow IT can make it difficult for organizations to track corporate data and protect against data loss.
How common is Shadow IT?
Shadow IT is surprisingly very common. Recent shadow IT statistics have found that over 60% of employees across organizations have admitted to introducing their own technology, unapproved of course, at work. And, the majority of those employees said they did so because they didn't feel their company provided adequate alternatives. Cloud services seem to be the most utilized shadow IT, with over 80 percent of companies found to have employees who are using unsanctioned cloud services.
Shadow IT often arises when employees try to work around slow or restrictive IT systems. For example, they may download unapproved applications onto their work devices in order to get their jobs done more efficiently.
Another reason Shadow IT is so common is because it's so easy to access and use. With just a few clicks, anyone can sign up for a service and start using it without having to go through their organization’s IT approval procedures.
Clearly, there's a disconnect between what employees want and what companies are providing.
What are the risks of Shadow IT?
The security risks of Shadow IT are significant and can include:
1. Data Breaches
Shadow IT circumvents traditional IT controls and processes, leading to potential data breaches and security nightmares. First, unauthorized applications may not have the same security measures in place as authorized applications. This means that there may be gaps in security that can be exploited by cyber criminals. Second, shadow IT can create a web of interconnected devices and systems that are difficult to manage and secure. This makes it simpler for cyber criminals to move through an organization's network and access sensitive data. Finally, employees who use shadow IT may be less likely to follow best practices for data security, such as using strong passwords, multi-factor authentication and encrypting data. This increases the chances that sensitive information will be compromised.
2. Compliance Issues
Anytime a business allows employees to use technology that has not been approved by the organization, they are opening themselves up to compliance issues. This is because unauthorized applications may not meet the necessary security requirements or may not be compatible with other systems in use by the company. As a result, data could be lost or leaked, and the organization would be at risk of violating industry regulations.
For example, if your company is subject to specific regulations (like HIPAA or PCI DSS), using unauthorized software and hardware could put you in violation of those regulations.
3. Resource Misuse
Shadow IT can create chaos around managing or supporting devices and software. This can be a drain on resources, as traditional IT may need to support and troubleshoot issues with Shadow IT applications. Your IT department will have no control over these unofficial devices and may not even be aware of them — making support difficult and costly if not impossible.
4. Collaboration Difficulties
Shadow IT can create silos within an organization, since teams may be using different tools and applications. This can make it difficult to share information and collaborate. It’s impossible for everyone to have access to the most up-to-date information, thus compromising the organization’s workflows. This can easily interfere with the overall productivity of the entire team.
How to prevent Shadow IT risks?
In any organization, there will always be a temptation for employees to find their own solutions to problems, rather than go through the official channels. While it’s impossible to eliminate it 100%, organizations can prevent most of the shadow IT security risks by taking these simple steps.
- Education: You should educate employees on the dangers of using unauthorized applications. Make sure employees are aware of the dangers of using unauthorized software and hardware, and provide them with officially sanctioned options that meet your security and compliance requirements.
- Shadow IT policy: Establish clear policies to manage shadow IT and enforce them consistently. These policies should spell out the expected process for procuring and using technology within the company. In addition, the policies should make it clear that unauthorized applications are not permitted.
- Transparency: Create a culture of transparency and openness. Make sure employees know that it's okay to ask for help and that there are no wrong questions. Promote a sense of ownership over company data and make sure employees understand the security risks associated with unauthorized technology use.
- Provide enough tools: Establish which tools most or certain employees need so badly and find a way to provide them or convince them to try alternatives that are already approved by the company.
- Authorized data access: Make sure that only authorized individuals have access to sensitive data. This can be done by implementing authentication measures such as two-factor authentication.
By taking these precautions, your organizations can help to reduce the security risks associated with shadow IT.
What is the importance of Shadow IT in Cyber security?
Shadow IT has risen in prominence across Cybersecurity circles and in fact it may be part of the major components that will shape the future of cyber security. This is particularly fueled by the increasing number of businesses that are moving more and more of their operations to the cloud, creating room for their employees to look for complimentary solutions outside a company’s approved technologies.
That's where Shadow IT comes in, an area that most organizations may treat as light but the same cannot be said of the consequences. It can complicate an organization's incident response efforts, as unauthorized applications may not be included in security monitoring and analysis. For these reasons, it is important for organizations to start treating Shadow IT as an important item that must be part of the comprehensive Cyber security measures within the organization’s security posture.
Of course this is not to imply that Shadow IT is always malicious. In fact, much of it could be accidental or inadvertent. However, it must be treated as an important consideration when implementing Cybersecurity safety nets within organizations.
What are Shadow IT examples?
There are so many examples of Shadow IT, but here are the top 10 to always watch out for;
1. Web Applications
Web applications are one of the most commonly used forms of Shadow IT. A web application is a piece of software that is accessed through a web browser, as opposed to being installed on a computer. This makes them very convenient, as employees can access them from any device that has an internet connection at work or home.
Web applications can be used for a wide variety of tasks, such as:
- Storing and sharing files
- Collaborating on projects
- Managing a business’s finances
- Planning and organizing events
- Recruiting new employees
2. Mobile Applications
Many employees will download and use applications that are not approved by their company, often because they offer features that are not available with the applications that are approved. This can include applications for messaging, file sharing, and productivity.
3. Unlicensed Software
Unlicensed software is a software that is used without permission from the software's developer or copyright holder.
There are a few reasons why employees might choose to use unlicensed software. Sometimes they may not be aware that using unlicensed software is illegal.
4. Personal Devices
Some employees find it convenient to use their own devices such as laptops, USB devices, or phones to take care of some work tasks. While companies can allow personal devices to some extent, it’s easy to cross the line and expose the company's data.
6. Connected Devices
Examples of connected devices include smart TVs, Google Home, and Amazon Echo. It’s common to find employees using these devices to access unapproved applications and data, which can put the company at risk for corporate data breaches and other security threats.
7. Personal Email Accounts
Some employees use personal email accounts for work-related communication, assuming it’s okay. This can pose a security risk, as personal email accounts may not be typically as secure as company email accounts.
8. Social Media
Social media can also fall under shadow IT. In fact, a lot of companies have bans on social media in the office, but employees find ways to access it anyway.
Some of the most common examples of Shadow IT when it comes to social media are using personal social accounts for work purposes (such as using Facebook for marketing purposes), logging into accounts from unauthorized devices, and accessing sites that are blocked by the company.
9. Instant Messaging
Instant messaging is often used as an alternative to email, as it's faster and more informal. Plus, it allows for real-time communication, which can be a huge advantage in the workplace.
There are a few different instant messaging platforms that are popular among employees, such as Slack, WhatsApp, Microsoft Teams, and Zoom. All of these platforms offer different features, but they could also pose security risks if they are not sanctioned for work purposes.
10. Public Wi-Fi
Public Wi-Fi is a convenient way for employees to access the internet when they're away from the office. But it's also a security risk. When employees connect to public Wi-Fi for work, they're exposing their traffic and data to anyone else who is on that network. That means that if there's someone on the network who is looking to steal corporate data, they could easily intercept any sensitive information.
In general, any device or application that is not approved by the company can be considered Shadow IT.
BYOD and Shadow IT
The peaking of the cloud has fueled BYOD, as employees are increasingly using their personal devices to access work files and applications. In fact, BYOD is now emerging as the most prominent form of Shadow IT, so it’s worth your prime attention as an organization. This trend was accelerated by the COVID- 19 Pandemic as more organizations embraced flexibility, allowing more and more employees to use their devices, from wherever. This then set the pace for what we are witnessing: employees getting accustomed to using their own devices for work.
As the BYOD trend seems unstoppable, companies are having to rethink their policies around BYOD and Shadow IT: Which devices do you allow? How do you manage their use within the work environment? These are all questions that IT managers are grappling with, and more.
There seems to be a general consensus that it’s okay for companies to allow BYOD and manage their use within the larger context of Shadow IT. This is supported by a Bitglass survey that shows 85% of the surveyed organizations are permitting BYOD, a surprise departure from the past where the majority of organizations denied personal devices. Those who deny are now in the minority.
It would appear that BYOD as a form of Shadow IT has caught businesses unprepared. Many, including those permitting them, are struggling to keep up with the influx of personal devices. You can arrest this right away by turning to Cybersecurity solutions to help you secure the networks and implement BYOD policies that allow employees to use their personal devices for work, but require them to comply with certain security measures.
More and more businesses are moving to the cloud, and with this comes a corresponding increase in the phenomenon of shadow IT. Employees turn to this alternative in pursuit of greater flexibility and productivity. But on the other hand it can also introduce a number of risks, including data breaches and compliance issues.
As this is a growing problem for organizations, it is important for employers to create a shadow IT policy forbidding the use of unauthorized technology and making sure all employees are aware of it. You can also install software that monitors and restricts the use of unauthorized applications.
Whichever position you opt to take regarding Shadow IT, just remember that it’s one of the items you should urgently include in your overall Cybersecurity strategy.