IT and Cybersecurity News

What is Shadow IT? Examples, Risks, and Solutions

Written by Stephen Foley | November 09, 2023

From the desk of Stephen Foley, Security Manager...

In today's digital landscape, cloud services have become an integral part of our daily routines. Whether it's downloading productivity apps or utilizing cloud storage solutions, these practices are second nature to us. However, in the realm of remote work, the convenience of downloading software tools often comes at a price – a potentially significant cybersecurity risk for your organization. This lurking threat, known as "Shadow IT," poses an escalating challenge in the age of cloud computing. Let's explore this pressing issue and investigate the cybersecurity concerns it poses.

Understanding Shadow IT

The practice of employees deploying tools and services without the knowledge or approval of IT management is what we refer to as Shadow IT. Gartner, a leading research and advisory company, defines Shadow IT as "devices, software, and services outside the ownership or control of IT organizations." At their recent Security & Risk Management Summit, Gartner predicted that by 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility – up from 41% in 2022. In essence, employees may unwittingly compromise security by using unauthorized technologies, particularly when these tools lack proper security measures or updates. When a security breach occurs, it can be a daunting task to identify the source and contain it, leaving IT or Security departments in the dark and unable to enforce cybersecurity controls or group policies, thereby putting the business at risk.

Examples of Shadow IT include:

    • Personal email accounts being used for business purposes.
    • Unsanctioned Bring-Your-Own-Devices (BYOD) like tablets or smartphones.
    • Third-party Software-as-a-Service (SaaS) applications outside IT's control.

In most cases, employees use Shadow IT with good intentions. They may not be aware of the security review process required for application approval and device selection. Without proper vetting of these new technologies, Shadow IT can inadvertently create cybersecurity risks for the organization. One survey by Forbes Insight reveals that more than one in five organizations have experienced a cyber event due to unsanctioned IT resources. These types of statistics highlight the crucial need for IT organizations to establish proactive processes for effectively managing their IT infrastructure.

The Cybersecurity Risks of Shadow IT

All organizations, especially those in regulated industries like healthcare, legal, or finance, must safeguard certain types of information. However, this information cannot be secured if employees store it outside of the company's controlled environments. The IT department won't know if customer data is at risk without visibility and control over its location, potentially exposing the organization to compliance issues.

Another concern is data loss. When an employee leaves an organization after using Shadow IT for work activities, the applications and credentials they use may be unknown to the IT department. This means you might never gain access to their work or discover where critical data is stored. Such data may not adhere to standardized company policies, including backup, archiving, or encryption.

Mitigating Shadow IT

Mitigating the risks of Shadow IT is not a one-size-fits-all solution; it varies depending on your industry. However, the initial steps to control Shadow IT remain consistent across the board.

1. Create Information Classifications

Clearly define what data is public, private, or confidential through a process known as Data Loss Prevention (DLP). These classifications will help establish acceptable usage guidelines. For example, your company may decide that confidential information can only be stored in specific, management-sanctioned applications, while private data like meeting notes can be stored in employees' preferred cloud services.

2. Document Hardware and Software Inventory

Maintain accurate inventories of your assets, including all hardware and software that is in use. Having a clear vision of what requires protection enables IT departments to build a secure framework for controlling devices, applications, and systems, making it easier to assess and manage vulnerabilities.

3. Discover Existing Shadow IT

To understand how confidential information is managed throughout the company, invest in network monitoring tools or Mobile Application Management (MAM). These tools can uncover which applications are running and who is using them. While Shadow IT often creates cybersecurity threats, they are likely creating value for the user. If the program is found to align with company policy, you can often find professional versions with centralized management. Now, these rogue programs can become official, leveraging their insight and/or productivity benefits while reducing the risks.

4. Educate Employees

Written policies and end-user education are critical. With technology constantly evolving, employees need to be aware of clearly defined policies and guidelines for handling company data. Creating a culture of security awareness and adopting an acceptable use policy can significantly reduce the impact of Shadow IT and free up IT resources for more productive tasks. Additionally, involving employees in the security conversation fosters trust and collaboration within your organization, making it not just a cybersecurity best practice but also a means to strengthen your corporate culture.

In conclusion, Shadow IT poses a significant cybersecurity risk to your organization, but it's a challenge that can be met head-on. By taking proactive steps to identify, control, and educate your workforce, you can mitigate these risks and ensure the security and integrity of your valuable data.

To gain more insight into effectively addressing cybersecurity risks, click on the link below to access valuable recommendations from our Director of Advisory Services, Erik Thomas.

If you'd like more information on reducing cybersecurity risks within your organization, feel free to connect with us at info@systemsengineering.com or call 888.624.6737. For our valued clients, please reach out to your Account Manager.

Stephen Foley, Stephen Foley is the Security Manager at Systems Engineering. As a Certified Information Security Professional (CISSP), Stephen leads and mentors his team of experienced, highly-trained engineers who support and improve our clients' end-user productivity, enhance security, and enable efficiency.