What is shadow IT and why must it controlled?
Last updated on February 8th, 2019
Lurking beneath the surface infrastructure and hidden from perimeter defences is a malignant force, extending its creeping tendrils into every department of the business. Whilst it started out innocently enough, as it grew more prevalent, its twisting roots buried deeper into the IT environment, corrupting business processes, undermining defences and creating unseen vulnerabilities. But the worst part of all about this malevolent infestation is that it’s that you and your co-workers who created it. Who continue to let it grow, all whilst unaware of the dangers which lay in waiting beneath you.
Okay, while this description may seem a little dramatic, it’s undeniable that shadow IT poses a genuine risk to your business. Gartner predicted that 1 in 3 security breaches will be the result of shadow IT applications by 2020. And Research from Cisco indicated CIOs underestimated the amount of shadow application running on the network by a factor of 14 – that is to say, the CIO thought the business was running 51 cloud services when in reality it was using 730!
This highlights just how many businesses still don’t have a grasp on the extent of shadow IT within their IT infrastructure. The risks and controls have been around for years, yet many businesses still wait to identify and control them until they’ve been burnt.
What is shadow IT?
Fundamentally, shadow IT is when staff use IT applications (often cloud-based) which the IT team have not approved for use.
Shadow IT can present itself in numerous ways, a few examples being:
- Staff sharing files between themselves, suppliers and customers using a cloud file store such as OneDrive, Dropbox or Google Drive.
- A few salespeople using an online CRM solution to work on a campaign or perhaps using personal Skype accounts to talk to clients.
- An employee preferring to use an online tool from their previous job over the software their current employer uses.
For each of these, it’s apparent how these systems will be outside of the control of the IT department and how sensitive corporate data could leak from them resulting in a data-breach or competitors gaining access to confidential documents.
Shadow IT plays on the idea of “if you can’t see it, you can’t control it” and creates a lot of invisible risks and security gaps which the IT team is unable to address. Of course, shadow IT may be bringing in benefits to a business – if an employee is able to work more comfortably and therefore more effectively. However, you cannot let it run wild as it introduces gaping security holes and massively increases the risk of a data-leak.
Why does shadow IT occur?
Shadow IT arose with the boom in cloud-based technologies and applications. Employees within organisations could gain access to IT solutions through a web interface with little or no involvement from IT and with little or no cost. Give someone a web browser and a credit card and they can access a world of IT applications and systems for nearly every conceivable problem.
The popularity of this sudden access to a plethora of applications was compounded by the fact that in the past, every IT project would in effect stop or have to grind its way through the IT department before actually being usable. Whilst this wasn’t done maliciously, the delay it caused frustrated power users who wanted rapid solutions to their real or perceived business issues.
In short, the demand for change was louder and faster than the IT team’s resources, and even their awareness. Technology had come to the masses and they wanted to use that technology. Now.
But blaming everything on the IT department isn’t fair and nor is it accurate since a fundamental cause of shadow IT is misalignment within the business. Something which involves numerous departments and generally the board. These issues and a lack of control on the IT estate creates a murky soup that means identifying a single reason is impossible and so the cause for shadow IT can vary from business to business.
How can I manage shadow IT?
Whilst the idea of strictly prohibiting the use of any applications outside of an acceptable list and filtering .exe files so only that list can be run seems like it would work fantastically, it doesn’t. Not only will it annoy employees and disrupt their workflows, but people will likely find a way around the filtering or will pester the IT team to add certain applications to the whitelist, thus circumventing the point of the list and only resulting in a net negative.
Instead, the business needs to address the root cause of shadow IT and implement both policy controls and technical controls to reign it in. Here are 7 simple steps to give you an idea of where to start.
1. Review what’s going on
Use your internal monitoring and control solutions to analyse who is going where and doing what. It’s also worth auditing laptops and desktops if you allow users to install applications on their own devices (not advisable!).
2. Evaluate and prioritise risk
Go through your reports and work out which shadow IT elements pose the greatest risk, i.e. staff sharing sensitive information to outside parties via a cloud file store or accessing the dark web through .tor browsers. You may also find out you are breaking regulatory obligations without evening knowing it, i.e. storing files in regions that are unacceptable.
Shut down anything that is potentially dangerous immediately. If it’s illegal or its use directly circumvents company policy then block it and take appropriate action at a management or HR level.
4. Give an amnesty
Once you’ve dealt with the immediate dangers and know what’s going on – give everyone the chance to stop using the unapproved shadow IT applications. Give them a week or two to alert you why certain applications are necessary and you can then manage the exceptions. After the week is up shut everything down.
5. Manage relationships
As you work through this process, take care to manage the external perception of the board and IT. People often use shadow IT to better fulfil their roles (rightly or wrongly) so you should be trying to understand why they are using it and how you can fulfil their needs.
You may even find that some shadow applications in use are of benefit to the wider business and adopting them could be a net positive. You don’t want to turn the business against the IT team as the whole business will suffer.
6. Create policies
It’s highly unlikely that employees are aware of the danger of shadow IT and why they shouldn’t use it. Clear policies with training and regular reminders should help minimise risks.
7. Continually manage
You should always be monitoring and evaluating what’s going on in your network. People forget what they’re told, and the odd employee does go rogue. The technologies are out there and are nothing new. So there’s really no excuse for not both monitoring and blocking employees from doing things that could harm your business.