There was a time when IT departments were the ultimate gatekeepers of technology within organizations. Without their explicit approval and technical expertise, no hardware or software could be adopted by employees.
That time is long gone, and we now live in the era of cloud computing and mobile devices, with employees being able to use any cloud application they feel can make them more productive and efficient with a few simple taps—no need to ask the IT department for help.
Unfortunately, many of these cloud applications—and even the devices employees use to access them—go unnoticed by IT, operating as the so-called shadow IT. In this article, we define the concept of shadow IT in security, explain its implications, and describe what can be done to prevent shadow IT.
An Introduction to Shadow IT
What is Shadow IT? It is a term that describes any technology used by individual employees and entire departments that has been utilized without the explicit approval of the organization. The term arose during the boom of cloud-based products and services, which have made it possible for employees to easily gain access to them from the web or mobile devices.
It’s estimated that the average organization today uses 1,083 cloud services. However, the IT department is aware of only one-tenth of them. That explains why CIOs control only about 60 percent of the average IT budget in an organization.
Here are some examples of how shadow IT presents itself in practice:
- A department adopting a different file-sharing solution than the rest of the organization is using because of its collaborative features.
- A member of the marketing team purchasing an online graphics design tool to create custom graphics for a new campaign.
- Employees exchanging project details using their personal WhatsApp or Telegram accounts.
What all three examples have in common is that a certain technology has been adopted by employees to solve their problems without the IT department having any say in it, creating huge security risks in the process, as we explain in the next chapter of this article.
What Security Risks Does Shadow IT Pose?
As soon as the IT department loses visibility into the technology used within the organization, it stops being able to do its job effectively, which is when security gaps start to develop. Unless addressed, these often seemingly innocent gaps may keep widening until cybercriminals can slip through them without any effort.
Gartner predicted that 1 in 3 security breaches would be caused by shadow IT applications by 2020, and the constant growth of reported data breaches suggests that Gartner’s prediction might have been conservative.
Organizations that ignore the security risks posed by shadow IT are not able to comply with regulations and standards created to protect consumers and other organizations. Such organizations risk losing their ability to compete in the global marketplace.
In addition to security risks, shadow IT places a huge financial burden on any organization that allows it to grow uncontrollably, greatly increasing the cost of IT support and forcing the IT department to navigate a complicated web of technologies, some of which may not even be properly licensed, which typically happens when vendors allow over-provisioning or when multiple employees share a single account.
How Can Shadow IT Be Detected and Managed?
To fight shadow IT, it’s paramount for IT departments to regain the lost visibility. A cloud access security broker (CASB) can be used to monitor all activity between cloud service users and cloud applications and enforce security policies
A CASB solution can be easily integrated with security information and event management (SIEM) products for streamlined log collection and the ability to correlate cloud usage with other activity. SIEM software solutions provide real-time analysis of security alerts by combining security information management and security event management, giving organizations useful insight into the activities within their IT environment.
However, even the most thorough monitoring isn’t likely to end shadow IT and prevent employees from using the tools they feel make them the most productive. Instead of doubling down on shadow IT detection, it’s better to prevent it by educating employees about the dangers of unsanctioned technology, and by simplifying the approval process so that employees don’t feel the need to go rogue and become their own IT support.
Employees need to understand that shadow IT falls within their sphere of concern because it affects the overall security of their organization. This understanding can be achieved through cybersecurity training programs and other forms of end-user education that reflect the organization’s IT policies and guidelines.
IT policies and guidelines should strive to create a culture of open communication and innovation, empowering employees to collaborate with the IT team in order to find a balance between low friction and high security. When employees stop being afraid of shining light on unsanctioned devices and software, shadows start to disappear, and with them the numerous security challenges they pose.
Shadow IT is a growing concern for organizations of all sizes, caused predominantly by readily available SaaS products. To manage it, IT departments need effective tools to help them regain the lost visibility, and they also need to make it easier for employees to use whichever new technologies they feel can make their jobs easier.