Working with a personal device, storing work files on cloud storage solutions which are not established by the company, meeting on different platforms than the ones specified,… These are all examples of a problem known as shadow IT. This problem refers to any hardware, software, application or IT service used on a company network without the IT department’s approval.
As stated by CISCO, 80% of end users use software that has not been approved by their IT department.
In an era where cloud based services are universal, the challenges in obtaining a good overview of shadow IT are exacerbated. As a result, the IT team can’t monitor, explore or address vulnerabilities. From data loss to malware infection or compliance issues, the consequences of shadow IT are serious. In 2022, 7 in 10 organizations were compromised by shadow IT, through unknown, unmanaged, or poorly managed devices. This data demonstrates the significance of this phenomenon and that it should be addressed properly.
The motivation that leads to shadow IT
The use of unapproved devices, tools and applications happens because it brings some sort of benefit to the employees, who are always trying to find convenient ways to improve their ways of working. Quickness, efficiency and flexibility are keywords when it comes to the origins of shadow IT:
- Quickness: Because the process of obtaining IT approval for tools, services, or applications might be time-consuming, end users often find themselves using them without the IT department’s approval. The employee lacks time and/or patience and aims for an immediate access without taking the required necessary steps.
- Efficiency: Furthermore, it can happen that some resources might have a better functionality for the purpose of the end user than the alternatives offered by the company. So if an employee has a good experience with a certain resource, the information might spread very quickly and influence other co-workers to use it as well. For example, let’s say that your company uses One Drive as a main cloud based storage solution. Even though One Drive is a good solution for your company, an employee might find that Google Drive is more intuitive and easier to use. Or they used to work with this storage solution at a previous employer. If this employee spreads the word that Google Drive is better, or if they even just share their documents through this platform, their team might start using it as well.
- Flexibility: Specifically in cases of remote working, every work environment comes with its challenges. Employees can select tools that suit their current setup and connectivity conditions, making it more convenient and allowing them to access and resume their work tasks anytime and anywhere with less limitations. For example, an employee who is constantly travelling might not always have a reliable internet connection. In some cases, they might not have internet connection at all. If, let’s say, their company offers tools that require internet connection, the employee might look for alternatives that will allow him to work offline.
Uncovering the risks
It is now clear that the use of not approved resources comes with benefits for the employees. Indirectly, it might also be beneficial to the company, since it might increase productivity of co-workers. However, there is always another side of the coin: there are risks that should be taken into consideration.
Lack of IT visibility is one of the most important issues. When the IT team isn’t aware of all assets, they can’t support them properly, address possible vulnerabilities and ensure their security. Furthermore, the importance of updates, patching and permissions is often underestimated by the end-users. Because they often lack the knowledge to understand the importance of such crucial aspects, the end-users might neglect them, increasing cybersecurity risks. After all, doing their job is their priority, and worrying about those IT aspects is not.
According to CISCO, companies estimate their usage of public cloud services to be around 91. However, the data reveals that they are actually using on average 1,220 cloud services.
Problems related to data are also one of the challenges of shadow IT. With the emergence of cloud storage solutions, employees can use the platform or tool they prefer to save and share their documents, rather than the ones established by the company. This results in an increased vulnerability to data leaks or breaches, which will bring challenges to the compliance with data protection norms.
43% of IT professionals report challenges in securing users’ activities within SaaS applications.
– Bettercloud, 2023
Additionally, data stored outside of companies’ resources is never backed up during the company regular back-ups, which makes it very hard to recover information in case of data loss.
Data inconsistency could also be a result of a non-centralization of all data, since employees might be working on the wrong documents (e.g., outdated documents).
What about if something goes wrong with the devices, software or applications inside the shadow IT domain? In case that happens, the most certain outcome is a very long downtime, but that depends of course on the level of severity. Comparing to an IT team that has experience dealing with several IT problems, a single employee might take a long period of time to find a solution.
What now?
Shadow IT will most likely never disappear, especially now in times of remote work. Therefore, companies need to design a plan of approach in order to tackle the challenges.
One of the most important things to do is educating employees and foster their cybersecurity awareness. IT teams should also monitor their network and regularly inventorize all assets present at the company’s network. Remember: knowledge is power.
Moreover, regulatory guidelines should be designed and properly shared with the employees. They should include a whitelist with approved resources that the employees are allowed to use. However, this brings another challenge to the table. Browsers are applications that are whitelisted in every company. After all, who doesn’t use them? The problem is that you can’t keep track of every application services that are running in the browser and some of which might be considered a threat. So working with a whitelist alone is very difficult.
We got your back!
The analysis of all assets and resources sounds like quite the work, right? With our AppScan, we can do the heavy lifting for you and present you with a complete report with all the information you need to know to improve your application landscape and make it as secure as possible. We will help you with the mapping and tracking of every resource, even those that are running in browsers.
But once you got all the information you require, you need to bring the problem under control. Dilaco brings you the right solutions, the knowledge and the experience to manage shadow IT, tackling the problem and minimizing the consequences.
Let’s us help you get the shadow IT out of the shadow.
This article was brought to you by:
Willem Magerman
CTO/Cybersecurity Specialist
Get in touch