“Shadow IT” – also known as Stealth IT, Client IT, or Fake IT – is any system, solution, or software that’s used by the employees of an organization without the knowledge and approval of the corporate IT department. Shadow IT poses a unique threat to cybersecurity as the technologies used are not appropriately managed to identify and mitigate the associated risks that can put corporate data at risk.
Employees using unapproved technology assets are incredibly widespread in businesses of all sizes and industries. In fact, a study from IBM Security found that 1 in 3 employees working for Fortune 1000 companies have saved and shared company data to third-party cloud applications that were not explicitly approved.
Prevalent Shadow Technologies:
When the corporate IT department is not fully aware of the scope of existing assets within the company they are not able to provide the upkeep, troubleshooting, and risk management that is required to use those assets safely.
Shadow IT has the potential to cause a variety of logistical, data loss prevention, productivity, and security concerns, including:
While shadow IT is incredibly widespread and potentially dangerous, it can be mitigated against with the right tools and processes. With the help of (approved!) computer monitoring software, employee training, and suitable alternatives you can deploy a software asset management (SAM) strategy that effectively mitigates the threat of unmanaged technology.
To detect the use of unapproved and unfamiliar applications, you can monitor employee application use and web traffic for the prevalence of shadow IT. Once the demand for these applications is identified you can address the security concerns of unmanaged applications and services with the employees that are using them and take the opportunity to discuss viable alternatives or procedures.
Unmanaged IT assets that continue to pose an unwanted hazard can be blocked using software that prevents access to unauthorized websites and applications until they can be adequately reviewed and considered for official adoption.
To prevent the use of unknown data storage hardware that could be used to exfiltrate sensitive data such as intellectual property and records that contain personally identifiable information, you can use endpoint security software to disable unauthorized USB devices (flash drives, external hard drives, etc) from connecting to endpoints on your network.
Employees using unauthorized software and hardware are typically not doing so maliciously; it is more likely that they do not realize the cybersecurity risks of the unvetted tools they use. An important step in tackling shadow IT is to ensure that your workforce is well educated about the dangers posed by unmanaged assets as well as their responsibilities for working safely with the technology they use in their workplace.
A key motivator for the use of unvetted tools is that the current suite of options offered by the organization does not meet the needs that their shadow alternatives are being used for. If the existing technology that is available to employees creates a productivity bottleneck, they are likely to continue using alternatives that better meet their needs in an effort to improve the efficiency and ease of their workflow.
To ensure that new technologies are used safely, it is worth considering an official adoption that can be better monitored and managed by the security team. Encourage employees to be comfortable with being honest about the technologies they are using by establishing a method for them to report unauthorized software and hardware usage without the fear of disciplinary action.
The use of shadow IT is inevitable for most organizations. With the right tools and processes, your software asset management plan can mitigate the risks of unmanaged assets by identifying their use, coaching employees on their cybersecurity responsibilities, and offering suitable alternatives that can be safely monitored and managed by your security team.