Most organizations have a centralized IT department with the apps and software approved for certain activities. However, remote workers might choose to find other apps and software that lacks the perceived limitations of the centralized and approved IT resources. Anytime a remote worker uses an application or software that your IT department is unaware of, your organization is exposed to different security threats that cybercriminals can exploit.
By Matt Shealy, President, ChamberofCommerce.com
Shadow IT includes messaging applications and software, portable data storage devices, and online document sharing software among others. While shadow IT could help a remote worker navigate the perceived limitations of the officially accepted software in an organization, it also creates significant cybersecurity vulnerabilities that the organization might fail to detect.
Why Shadow IT is a Concern
Cloud computing is driving the increased use of applications and software to complete various functions in the organization. Employees can easily download the apps or software they need to do their work and use different devices to access these applications and software.
The shift to remote work in the COVID era and the ease of accessing third-party software and applications have contributed to the rise of shadow IT. Remote workers will look for options when they need to complete a task but do not know how to use the approved software or can find an approved alternative that completes the same job efficiently.
Since shadow, IT often goes undetected by IT teams, the threats and vulnerabilities remain unknown. The major threats of shadow IT include:
Shadow IT introduces vulnerabilities to an organization. Since the IT department has not vetted shadow IT, this software and hardware have not undergone similar security procedures as the approved technology.
So when an employee downloads software without the knowledge of the IT team, it opens up a potential route for cybercriminals to access your enterprise’s network and data. Whereas these remote workers could be using harmless software, some of the applications could have permissions that allow sharing of sensitive data. Others have security vulnerabilities that expose your company’s endpoints to risks.
When your employees give shadow IT applications access to key assets, they can easily make the entire network vulnerable to attacks.
Security gaps can also arise when employees fail to update their applications and software when these updates are available. Even with approved software tools, it becomes hard for the IT department to track whether remote workers have updated their software to the latest version. Hackers and cybercriminals can use the vulnerabilities in older versions of the software to access sensitive company data.
Compliance and Regulations
Governments have created regulations and standards that organizations must comply with to protect consumers and other businesses. Enterprises have these standards in mind when creating an approved list of technologies that their employees should use.
Therefore, when an employee chooses to use shadow IT, they are putting the organization at risk of non-compliance, heavy fines, and potential incarceration. It also increases the risk of not detecting or reporting security threats or the extent of a security breach.
A configuration management database enables your IT department to identify how systems work together. But when remote workers are using shadow IT, the software and hardware they use are not included in the database.
The lack of visibility that comes with shadow IT also means that the IT department is unable to deal with problems that might arise when using these applications as they lack the knowledge and documentation to deal with the problem.
When different employees are using different software to complete their work, collaboration becomes problematic. For example, when two teams need to work together and one uses Google Drive while the other uses DropBox, a lot of time will be wasted trying to share or collaborate on the project.
Mitigating the Risks of Shadow IT
As more workers are working remotely, the threat of shadow IT has increased. However, there are steps IT leaders can take to reduce the use of shadow IT and mitigate the threats arising from shadow IT. Some of these steps include:
Monitor Your Network
The first step CIOs should take in mitigating the risks of shadow IT is monitoring your network to find out where you are experiencing problems with shadow IT. You need to monitor unknown devices and applications and determine when they occur.
You can collect log data from the firewalls, SIEMS, MDM, and proxies, to help you identify the services used outside the purview of your IT department. You can also identify the people using shadow IT and the frequency with which they use these resources.
Identify the Unmet Need
Most employees seek out shadow IT applications due to gaps with the approved infrastructure. They want apps that support efficient work and are easy to use. Communicating with your remote teams to identify the applications they use outside your approved infrastructure.
Communicate with your employees and create a policy that allows them to inform the IT department of newer solutions that do the same job efficiently. This way, your IT department can review these apps and software for security and find alternatives or adopt those that are safe for your organization.
Set policies that allow easy communication and collaboration between the IT department and IT users to promote the understanding of the needs, experience, and feedback from end-users.
Set Remote and Work from Home Policies
Most employees do not use shadow IT out of malice. Instead, they are seeking easy-to-use and efficient solutions. You should engage your employees through training and education programs that help them use the approved software and understand the threats of shadow software. When your employees know the security threats and consequences of security breaches due to shadow IT, they are more likely to find appropriate solutions (often with the involvement of the IT department) to solve their technology needs.
Your policies should also include cybersecurity best practices such as:
- The use of strong passwords
- Changing passwords regularly
- Using secure routers for internet access, especially when accessing corporate resources or using work devices. You should include recommendations for router and network security measures that your remote employees should implement.
- Policies that ban the access of work-related data using non-work devices
- Encryption of sensitive data
In addition to training your remote workers, train your network administrators and IT staff of the best practices when managing systems and users when employees are working remotely.
When setting policies around shadow IT, CIOs need to discover and classify the shadow IT resources in the organization. Once you have the list of shadow IT resources you can take the following steps:
- Move shadow IT applications to the authorized list of applications that pose no threats to the organization
- Replace the shadow IT solution with an existing IT function that solves the need that drove your workers to find these shadow options
- Discontinue the use of risky shadow IT solutions
Restrict Access to Third-Party Applications
Your organization can avoid the risk of shadow IT by identifying risky applications and blocking them even before users can access them. This will make it impossible for your employees to download, purchase or use these tools on company devices.
You can take this step further by having authorized devices that can access your enterprise network. This way, employees cannot access corporate files or networks using unauthorized devices.
Be Proactive to Lower Your Risk
IT teams need to act now. IT leaders, CIOs, and CISOs need to lobby for the resources needed to plug these security gaps. CEOs, COOs, and CFOs need to allocate the funds to make security a priority. If you don’t have the right person on staff or need to supplement your work team for additional skillsets, to manage the move to remote work, there are staffing agencies that can help find IT professionals to help you through it on a temporary or full-time basis.
Shadow IT is a growing cybersecurity concern as more organizations work with remote workers. Shadow IT introduces threats to organizations without the IT department knowing about these threats. CIO and IT leaders should be aware of the threats that shadow IT poses and the steps and technologies they can employ to mitigate these risks.
About the Author
Matt Shealy is the President of ChamberofCommerce.com. Chamber specializes in helping small businesses grow their business on the web while facilitating the connectivity between local businesses and more than 7,000 Chambers of Commerce worldwide.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.