What is shadow IT, what are the risks, and what to do about it in 2021.
80% of modern workers admit to implementing some form of shadow IT, a figure that has drastically increased as organisations have adjusted to remote working, away from the oversight of IT departments. In fact, 67% of teams admit to implementing collaboration tools without IT approval, in large part as DIY solutions to the challenges imposed by remote working.
This rogue IT implementation leaves security wide open, and experts predict that shadow IT will soon be responsible for as many as one in three security breaches, especially as 83% of IT professionals report the storage of sensitive data in unsanctioned cloud-based applications. This will become an even greater problem as employees return to the workplace and bring shadow IT applications with them. For organisations using traditional perimeter-based security systems, bringing malicious applications behind the firewall is a disaster waiting to happen.
Before major in-house breaches can occur, organisations need to bring shadow IT out into the open by taking the time to understand what shadow IT is, the risks it poses, and what steps should be taken to mitigate these risks. Here, we’re going to look at these questions and try to provide some much-needed clarity around shadow IT. Let’s get started.
Suggested reading: For an in-depth guide on how to future-proof your cyber security strategy, check out — Planning For the Future of Cyber Security Today.
What is shadow IT?
Shadow IT refers to any technology used within your organisation without the approval or oversight of existing IT departments. This might include cloud services, hardware or software that is employed by entire teams or individuals.
Cloud services like SaaS, and the ease with which they can be both implemented and shared across devices, have become especially prevalent within shadow IT, with IT departments knowing about a mere 108 of the 1,083 cloud services typically employed across an organisation. Other increasingly common forms of shadow IT include:
- Cloud storage (Dropbox, iCloud, Google Drive)
- Communications apps (Skype, Zoom, Google Hangouts)
- Productivity apps (Slack, Trello, Chanty)
- Physical devices (flash drives, external devices)
- And more
Why is shadow IT so common?
Shadow IT has existed for years but has experienced rapid growth due to BYOD (bring your own device) and cloud infrastructures. The overnight remote switch during 2020 only accelerated its popularity, with 51% of respondents to a recent survey stating that remote working has made it harder to control their IT infrastructures, a fact that led to as many as 26% noticing the unsanctioned download of software as a direct result of the shift away from office-based working.
There are many reasons for this, most of them well-intentioned but no less damaging as a result. The most common reasons for employing shadow IT include:
- Increasing productivity: 35% of respondents to a 2012 RSA study reported the need to work around company security policies to get their jobs done, proving an increasing trend in the use of shadow IT for productivity purposes. Employees have especially turned to unsanctioned cloud integrations during lockdown in attempts to enable smooth file transfers despite distanced working and suddenly obsolete in-house software.
- Driving innovation: too often, IT departments implement solutions without understanding how they integrate on the ground. By championing their own IT, employees seek to develop informed innovative solutions that speed processes and efficiency, with the ultimate hopes of driving better outcomes.
- Remote working: out of the sight of IT departments, remote workers are also more likely to implement shadow IT to simplify their workloads in ways they might not have attempted in the office. A trend in the utilisation of business devices for personal use is also driving an increase in unmanageable shadow IT that sees data travelling ever further out of reach, and leaves networks wide open.
Even as employees return to the workplace, ongoing drives for flexible work and BYOD ensure that shadow IT isn’t going anywhere. It’s only by addressing this issue head-on that IT departments can again control the flow of information and the systems that enable it.
Suggested reading: If you want to read more about the cyber security threats posed by remote working, check out our blog — Has Remote Working Created a Massive Cyber Security Threat? And what to do about it
Risks associated with shadow IT
Regardless of the fact that shadow IT is often implemented with good intentions, risks are inevitable when data is stored in unmonitored applications and software. The most prevalent shadow IT security risks include:
- Loss of control: shadow IT exists out of the control of IT departments, hindering the overall performance of IT infrastructures, and preventing IT departments from being able to implement disaster recovery processes or regulation of any kind.
- Data risks: as employees operate outside of IT backups, it becomes increasingly difficult to keep data safe, making compromised accessibility and data loss a real possibility, especially if employees leave and take shadow applications with them.
- Inefficiency: as well as requiring extra maintenance and administration, multiple data versions across unmapped locations can impact analysis reports and oversight, preventing IT departments from being able to adequately understand performance and weaknesses, and facilitating widespread inefficiency.
- Non-compliance: shadow IT can be a violation of an organisation’s compliance rules, and a lack of visibility means that reliable regulation is practically impossible, leaving data, and the organisation’s legal standing, at risk.
- Cost: justifying or even quantifying the cost of shadow IT systems can be difficult, but once unmapped applications become a key part of any project, those costs can soon escalate without the benefit of provable value or budgets dedicated to this purpose.
How to respond to threats from the shadows
Responding to these threats largely means understanding the whys and wherefores of shadow IT. A cyber security risk assessment is the first step towards this goal, shining a light on shadow IT that makes it possible to prioritise threat management, target security investments and develop a strategy that minimises the risks associated with shadow IT.
Most crucially, this level of oversight can provide the knowledge IT departments need to develop what’s known as ‘defence in depth,’ a cyber security strategy that layers defensive mechanisms to protect valuable data and information against even hidden risks. An effective layered response to shadow IT will typically cover key aspects of security, including:
- MDR (managed detection and response): External security providers deliver MDR to prevent threats from becoming breaches, ensuring both generalised threat responses and bespoke, industry-specific capabilities. Real-time detection and response alerts are especially crucial for bringing shadow IT in line by making it much harder for unauthorised applications to slip through the cracks. This is an incredibly powerful option for improving security flexibility and minimising exposure to new devices or applications.
- Cyber intelligence reports: By focusing on the threats facing vulnerable resources (in this case shadow IT) cyber intelligence reports enable organisations to prepare for, prevent, and identify threats from outside sources, giving them the information they need to ensure the security of even unauthorised applications as they get to grips with shadow IT. Cyber reports also facilitate improved understanding of cyber risks across your organisation. For example, highlighting the risks associated with BYOD, subsequently increasing buy-in to security practices.
- Equipment checks: As employees return to the office and bring their devices, and shadow IT, with them, equipment checks are crucial for protecting corporate networks. Sandbox environments that allow for the isolation of potentially unsafe code and applications before they enter internal infrastructures could prove especially invaluable, making it possible to check applications across personal devices without compromising employee privacy or adding to workloads.
Managed security providers can help to implement these layers of security, ensuring prevention rather than cure and keeping shadow IT outside of corporate networks. All the while, the increased understanding that this oversight brings puts IT departments in the best possible position to recognise why employees are using shadow IT, and the steps they can take to fill performance gaps that render it obsolete even as BYOD and flexible working patterns continue.
Suggested reading: Check out our blog — Four Ways Strategic Partners Improves Cyber Security.
Visibility is key to security
IT departments can’t control what they can’t see, so as employees return to the office it’s imperative to bring shadow IT out into the open, ensuring that IT departments can remove legacy applications and hardware while recognising why employees are turning to shadow IT in the first place.
Managed IT service providers are best positioned to make this consolidation possible, providing the oversight and intelligence that’s previously been missing. With a range of flexible, on-demand services designed to help organisations get the most from their resources, our team here at Six Degrees are on hand to shake shadow IT out of its hiding place.
As working patterns continue to evolve, our approach to the cyber security journey can help you every step of the way, from assessment to optimisation. If you’re looking for a cyber security partner to help mitigate shadow IT problems, deliver returns on investment and drive positive outcomes, get in touch today.