Employees are always looking for ways to work more efficiently and effectively. This may include anything from installing an application to check for grammar and spelling in documents, to using their mobile phone to quickly answer emails, to using a cloud file storage solution to easily send large files to colleagues and third parties. Although these digital technologies may improve productivity, or make it easier for employees to work remotely, if a business’s IT team does not have visibility of these tools, it can pose a significant security risk. This concept is called Shadow IT and in this article, we discuss how this poses a security risk, and what businesses can do to combat Shadow IT.
Shadow IT refers to any devices, software and services used by employees of a business, without the ownership or control of their IT provider or IT departments.
In terms of devices, this may include using a personal mobile phone on a business’s network, or using an external hard drive to transport files between work and home. Some productivity application examples include Slack, Trello and Asana. For cloud storage, this may be using WeTransfer to send files, or storing company files on Google Drive or Dropbox. Other examples may include communication applications, such as Skype or other VoIP solutions. a
Although Shadow IT may increase productivity for employees, it can also be the cause of a cyberattack, as it expands the available attack surface, without the knowledge of the IT provider or team. Some potential issues include:
The main issue with Shadow IT is that, if an IT team is not aware of the technology, they cannot take the necessary steps to secure it. If an IT team is aware of the software employees are using, and there is a known security vulnerability, they are able to run the necessary patches to stay secure. If the IT team does not know, and the employee does not run necessary patches and security updates, they open the business up to falling victim to a cyberattack.
If employees are using devices that an IT team does not have visibility or control over, this also poses a security risk. When IT teams set up work devices, they do so in a manner that reduces the chance of the device being compromised.
Different industries have different regulations that business must comply with. However, regardless of the industry, Shadow IT increases the chance of businesses not meeting the necessary requirements. This is particularly pertinent to GDPR, as a business is required to delete a subject’s data if they request to do so. If an employee also has this data stored on a system that the IT team is not aware of and it is not deleted, this is a breach of GDPR.
If employees are using cloud storage or cloud file transfer services, this increases the chance that the data will end up out of a business’s control. If these files are moved onto an employee’s personal cloud storage solution, and this account is compromised, it means there has been a data breach, which the IT team may not even be aware of.
Shadow IT, by its very nature is difficult to detect and avoid, but there are steps a business can take to increase visibility, and reduce the risks associated with Shadow IT.
One method to combat Shadow IT is to continuously monitor your IT environment. By monitoring devices and network traffic, it can help identify where all company data resides. This also helps with knowing when a new device enters a network.
Often employees do not know they are not allowed to use non-approved software and services, so it is important to educate employees about the risks of Shadow IT. Businesses should also create a process whereby employees can easily apply to use software, devices and services, so they can still have the benefits of digital technologies, whilst allowing IT teams to take the necessary steps to keep the business secure.
Businesses should also have a defined BYOD policy and program. This ensures that employees know what devices they are allowed to use for business purposes and what devices can connect to the business’s network.
Finally, businesses should consider creating a formal digital transformation strategy. Although this will not stop all Shadow IT, it will ensure that employees have the best digital technologies to work effectively and productively. Digital transformation can also enable businesses to gain a significant competitive advantage.
If you believe that your business may be at risk due to Shadow IT, or if you are ready to take the next steps to improve your businesses security posture, contact us today.