Shadow IT: What is it and what should you be doing about it?

You may not have heard about the shadow IT network, but you most likely have interacted with it at some point. 

With the explosion of cloud-based applications and services, the shadow IT networks have grown in prominence, and they can be a huge security vulnerability.

The first step in managing the shadow IT network is educating yourself on the matter. 

Here’s what you need to know about the shadow IT network and what you need to do about it. 

What is the Shadow IT Network?

The shadow IT network is not an actual network, but it refers to the use of information technology systems, mobile devices, Internet of Things (IoT) devices, cloud app usage, and software that has not been approved by the IT department. 

Typically, shadow IT is more prominent in business settings or organizational settings where the devices and apps used aren’t under direct control over the IT department. Examples of this are when an employee uses an unauthorized application like cloud storage. The service might be useful, but if it is a third-party application unapproved by an organization’s security team, it presents a risk of a security breach.  

When employees, organizational users, and third-party users log onto an unapproved network, device, software, IoT device, or app, they inadvertently create a vulnerability or security risk to the overarching organization. 

This is an issue now, especially with the number of cloud-based apps and services available, because it presents more possibilities for hackers to infiltrate a business’ computer network. Shadow IT is growing exponentially due to the rise in cloud services and remote work

Why Employees Use Shadow IT

Ultimately, there is an innocent reason why your employees and users will use shadow IT devices and apps. At the outset, shadow IT improves employee productivity and workplace efficiency. 

In a study conducted by the RSA in 2012, a reported 25% of employees felt the need to work around company security policies to get things done. This meant that, to some degree, the level of security requirements that the company had in place were too restrictive. 

In some instances, employees might not have approved software readily available in order to complete work processes. Therefore, these companies do not have the secure software, cloud services, applications, or necessary corporate network in place for the employee to do their job. 

One example is of an employee who finds a better file sharing program than the sanctioned app their IT department has allowed. They may use this program on their phone or be able to download the app or program on their device. 

On top of that, employees talk. They might refer the better, more preferred unauthorized app to their coworkers, by means of educating them on how to download the app, and encouraging them to download and use the file-sharing program. 

The use of file-sharing programs and cloud-based SaaS have spread, so IT departments are finding that they are competing against an ever-growing, unknown, and unsecure system of cloud apps, devices, and networks and data security. Without a monitoring solution and shadow IT plan, you could be risking a lot of your company’s success.

Risks and Challenges of Shadow IT in a Company

Businesses know that they need a strict and appropriate cybersecurity policy in place to protect against security threats and to protect company data. 

Unfortunately, with shadow IT, the security teams have no knowledge of the program, the use of the device or cloud service. Without this knowledge, they cannot even begin to adopt the right security practices to keep the company secure. 

How Shadow IT Presents Risk

While shadow IT might present a clear benefit to the employees using it, it also presents clear risks and challenges to the overarching businesses and their data. 

Risk of Data Breaches Increase

One of the most significant risks with shadow IT is the increased risk of cyber threats. Data breaches cost more than $8 million and can ruin businesses of any size. And nearly half of all breaches come from inadvertent errors such as human mistakes or system glitches.

When teams use a shadow application, device, or program, they are exposing the company to unknown security failures. The software or device has not been vetted for proper security protocols. While employees may not recognize these risks, the IT department primarily ensures the security of a computer network or team. 

Untrustworthy devices and software may not be used alongside the company’s security policy or cloud security policy and it could contribute to significant data loss.  

This can cause a security risk to large amounts of corporate data. Companies often collect sensitive data, like personally identifiable information (PII) about employees and customers. They can also collect intellectual property, business email addresses, and secure logins. Any of these data can be exposed and used for financial and malicious gain. 

By gaining control of the shadow IT, businesses gain better control of their data and can prevent a serious data breach from happening.

Decreased Compliance With Data and Security Regulations

Companies in the health and finance industries have to abide by a number of regulations for data security. The growth of shadow IT, therefore, presents challenges for businesses that need to abide by these regulations. 

Businesses in the European Union (EU) need to follow the General Data Protection Regulation (GDPR), which regulates what businesses can and cannot do with personal data for customers in the EU. 

The GDPR also carries global implications. Any entity doing business with an EU citizen must abide by the EU’s rules; this includes US businesses. Therefore, regardless of the company’s location, businesses need to remain compliant with GDPR. Unmanaged applications, software, email use, and personal device use within the shadow IT compounds the risk of GDPR non-compliance.

Businesses must be mindful of plenty of other regulations. Businesses in the health industry or those that work in the health industry must also be mindful of the Health Insurance Portability and Accountability Act (HIPAA). Other regulations like the California Consumer Privacy (CCPA) have wide-ranging implications for the use of consumer data and privacy. And businesses in finance must be mindful of the numerous financial regulations that vary federally and state-wide, including the Sarbanes-Oxley (SOX) Act

The use of shadow IT by employees can lead to compliance risks. Not only is this dangerous for customers’ personal information, but it can also lead to fines and shut-downs. 

Increased Risk of Unknown, Uncontrolled Costs and Duplicate Spend

The use of shadow IT presents a number of unknown, uncontrollable costs. Most businesses are keen to keep their spending as low as possible. Shadow IT presents risks to how well a business can control its spend. 

The purchasing of an unsanctioned app outside of line of business (LOB) budgets and on employee credit cards is increasingly common. If these purchases occur without IT’s involvement, there’s a high likelihood that they become shadow IT.

Businesses average $600 of reimbursements for SaaS applications. When these reimbursements aren’t checked, monitored, or managed, then they can easily get out of control.

So while these applications may be necessary, they are still unsanctioned applications and unchecked by the financial, IT, and business departments. There is the increased risk of multi-sourced spending as well, costing businesses a lot of money to use a low-cost tool. 

There is not only duplicate spending but also duplicate use of applications, which can also decrease efficiency. IT teams can easily step in to help manage the use of the app and regain control. This could limit duplicate spending and functionality overlapping. 

What IT Departments Should be Doing About the Shadow IT

One-third of successful attacks on enterprises will come from shadow IT. And considering the rise of its uses in all industries, IT departments need to begin to vet the software, systems, and applications that employees use and provide clear solutions to this problem. 

Tracking and stopping the growth of the shadow IT network is a continual process. Gartner estimates that shadow IT consists of 30% to 40% of total spend. And the adoption of shadow IT devices and unauthorized apps is ongoing. This makes it difficult to address security and financial risks associated with shadow IT. 

A holistic approach is one of the best ways to handle shadow management: 

  • Discovery: The discovery phase includes a continual educational process, learning the potential areas for SaaS, choosing the preferred method or methods for tracking shadow IT, developing the schedule for monitoring, and completing regular audits. 
  • Optimize: This phase is an actionable phase. IT departments and businesses will need to work together to optimize operational uses of shadow IT. This might include eliminating purchasing processes, and optimizing spend around SaaS from a company standpoint. 
  • Plan: In the planning phase, the IT department and financial departments work together to create a proactive approach to shadow IT tracking.
  • Govern: Finally, policies will be developed and implemented around SaaS adoption, the use of personal devices and personal networks, and how a business will perform software asset management. This is one of the best ways to control shadow IT. 

It’s clear that SaaS is here to stay. IT departments cannot ignore this issue. Instead, businesses and IT departments need to find ways to manage the spread of shadow IT and adapt to its changes. 

How to Find the Shadow IT

IT departments first need to implement a robust discovery process so that they understand the scope of their shadow IT. There could be SaaS applications at all operational levels. Discovery is often the hardest part. 

We recommend using at least two of these methods, including the manual inventory spreadsheet and employee monitoring

  • Manual inventory via spreadsheet: A survey is sent out to each employee and user to ask which unsanctioned applications they use. The survey can also include the use of personal devices, personal networks, security protocols on both, and other areas of vulnerability, like email use.
  • Employee monitoring software: Businesses could download employee monitoring software, which grants monitoring privileges to admin users. This software monitors things like application and browser usage, websites visited, and it even tracks unknown package downloads. With this software, you can see which unsanctioned apps your employees are using regularly.
  • Single sign-on platforms (SSO): Similar to a CASB, a single sign-on platform (SSO) acts as a bridge between applications and users. CASB cannot detect unconnected applications, which can be an issue with distributed work teams. 
  • Financial discovery and analysis: Financial discovery is the most thorough for tracking SaaS subscriptions on a company network where the company pays for subscription services. This process is a little tedious and would require an accountant or financial manager to go through each piece, however, it is a sure-fire way of capturing all the SaaS programs that a team uses. 

Managing and Preventing Security Risks Associated With the Shadow IT

Businesses need to recognize that cloud services are on the rise, and controlling the shadow IT network is best for company security. 

To start, businesses need to educate themselves and their employees on the security risks associated with shadow IT and create a system that works for that company. 

The first step is shadow discovery. Talk to your employees and come up with a plan for monitoring and managing security risks with shadow networks. 

Implementing an employee monitoring software can give employers an extra set of eyes for tracking shadow log-ins, unapproved software, and risky downloads. 

Staying educated on shadow IT and implementing shadow mitigation plans can help to minimize the ever growing security risks and financial risks! 

By SoftActivity Team.

October 18th, 2021