How are you sure that your employees are only using approved applications? Odds are, you are not sure at all. This is an issue come to be known as “shadow IT”. Shadow IT is a real problem within the modern work environment. Basically, it is an information technology (system, application, etc.) being used without approval. Common shadow IT examples include messaging apps (Slack, WhatsApp, Skype), physical devices (flash drives, external drives), and cloud storage (Google Drive, Dropbox). Developers often have this issue as they might not share the same resources as, say, the operations department. This has proven to be an issue that has grown exponentially in recent years, thanks in good part to the rise of cloud computing. Gone are the days where users must depend on their IT department to get the technology that they want. It is these types of “shadow” applications that do not require any sort of corporate IT consulting. In almost all cases shadow IT is not created with a malicious intent, however, despite good intentions it can put companies at a much greater security risk. For example, an employee could be using an app to see who has opened their emails, while not realizing that all their Outlook contacts have been transferred into an unsecure cloud.
The biggest and most obvious risk revolves around asset management. It is difficult to manage shadow IT because your IT department is not aware that it exists. This lack of visibility can create avenues for attackers to compromise systems and collect sensitive information. Most organizations have little to no idea of the number of shadow IT applications currently in use. In addition, applications and software not cleared by the IT department can have numerous vulnerabilities related to applications not being patched. Any piece of software used within a corporate network needs to be carefully reviewed and inspected, especially when dealing with the cloud.
Another risk of an employee using shadow IT lies in the transfer of data to and from the cloud without the use of the company firewall. This can create an easier opportunity for attackers to intercept that information and use it maliciously.
The last risk involves cost. Many shadow IT cloud applications come with costs that are generally just put on the company’s expense reports. If multiple users are using the same application under different accounts, the company is essentially paying for the same tool multiple times. These applications can simultaneously spin up cloud servers and the business will be the one who is paying the bill for this growing cloud infrastructure.
Although shadow IT can pose serious risk, many companies can gain valuable information and benefits from it, if managed properly. For one, it is likely that employees are using these unauthorized tools in order to increase their productivity on the job. The company should view this as an opportunity to improve all employee’s productivity. If these applications are known by the IT team, they can be implemented securely and potentially be a better application than what the IT department has chosen previously. This, in some respect, gives the employees a chance to voice and create their own solution. These tools should also be brought to light in order to understand the potential financial benefits of implementing them into the current architecture for all users to securely use.
How to Manage
Shadow IT will only continue to grow so it is important to work to mitigate some of the associated risks. When faced with this issue, many businesses want to ban these third-party apps altogether and outlaw personal devices. Is this the right approach? Probably not. Managing shadow IT properly is extremely important. The first and most basic step is education. Educating your employees by providing basic training over best practices can prove to be an effective practice. Sound policies and controls can also help to manage shadow IT issues. For example, don’t default-block access, but enforce controls such as authentication through the corporate directory. This allows for IT to more closely track which accounts exist. Also build a list of approved/disapproved applications and services based on your employee’s needs. Another important step is to continuously monitor the network with an application that works to detect shadow IT applications and systems.
Although shadow IT is often the result of good intentions, it undoubtably puts an organization at risk if not managed properly. It is important to be open minded when it comes to shadow IT and have IT departments and employees work together to bring out the benefits and reduce the associated risk. As time goes on, it is in the best interest of all companies to embrace shadow IT.
Jeffery Delozier – Security & Risk Advisor, The Mako Group