Casting Light on Shadow IT

A man sits at his desk working on a computer. The shadowy figure of a colleague looms behind him.

“Shadow IT” – also known as Stealth IT, Client IT, or Fake IT – is any system, solution, or software that’s used by the employees of an organization without the knowledge and approval of the corporate IT department.

Shadow IT poses a unique threat to cybersecurity as the technologies used are not appropriately managed to identify and mitigate the associated risks that can put corporate data at risk.

Examples of Shadow IT

Employees using unapproved technology assets are incredibly widespread in businesses of all sizes and industries.

In fact, a study from IBM Security found that 1 in 3 employees working for Fortune 1000 companies have saved and shared company data to third-party cloud applications that were not explicitly approved.

These violations of a company’s security policy increase the likelihood of a data breach.

Prevalent Shadow Technologies:

Unvetted communication tools used to share sensitive information outside of secured servers.
Unauthorized personal peripherals (USB drives, keyboards, etc) used on company devices.
Personal cloud storage accounts used to store company files.
Users attempting to manage IT assets on their own, including attempts to bypass existing security features.
Unmanaged remote access programs that can serve as an entry point for hackers.
Feral information systems – data management formations that are created and managed outside of the security and governance of the company’s approved infrastructure.
Personal devices used to perform work tasks in organizations that do not have an official bring your own devices (BYOD) policy.

The Dangers of Shadow IT

Gloved hand types on a laptop. There is an external hard drive connected to the computer, implying a malicious data theft incident

When the corporate IT department is not fully aware of the scope of existing assets within the company they are not able to provide the upkeep, troubleshooting, and risk management that is required to use those assets safely.

Shadow IT has the potential to cause a variety of logistical, data loss prevention, productivity, and security concerns, including:

Productivity Loss: The lack of availability for internal troubleshooting, training, and support for shadow IT assets can create productivity blocks when a subset of users begin to rely on unmanaged assets to complete their tasks.
Data Security: Unmanaged IT assets are not monitored or updated to address security vulnerabilities. Personal cloud storage accounts used to transfer corporate data may not have the same security controls available as enterprise accounts and they can be used as a gateway for malicious data exfiltration.
IT Governance: The auditing of software and hardware assets proves difficult when technologies are implemented without the knowledge or clearance of the IT department. As shadow IT is discovered, the continued demand for those applications to be officially adopted can lead to application sprawl that creates redundancies and an increase in the resources required to appropriately manage IT assets.
Software Waste: Existing software resources that are provided by the company may see a significant under-utilization due to increased use of shadow technology alternatives. The proliferation of redundant solutions is also a significant drain on financial and logistical resources.
Litigation: Whether the company is aware of the assets or not, events such as data breaches caused by unsecured shadow systems or the use of pirated software can lead to costly litigation against the company. Organizations such as The Federation Against Software Theft (FAST) and The Software & Information Industry Association (SIIA) work with software companies to prosecute the use of unlicensed software. In the event that intellectual property owners discover the illegal use of their software in an unlicensed commercial setting the company as a whole may be liable for the infringement.
Non-Compliance: The data risks caused by the unmitigated use of shadow IT may be in violation of internal or regulatory compliance frameworks that govern how data is protected and used. These technologies can lead to violations of requirements for data residency, data security, and related forms of information governance.

How Can Shadow IT Be Mitigated?

While shadow IT is incredibly widespread and potentially dangerous, it can be mitigated with the right tools and processes.

With the help of (approved!) computer monitoring software, employee training, and suitable alternatives you can deploy a software asset management (SAM) strategy that effectively mitigates the threat of unmanaged technology.

Computer Monitoring Software

Get My Free Trial

Learn More

To detect the use of unapproved and unfamiliar applications, you can monitor employee application use and web traffic for the prevalence of shadow IT.

Once the demand for these applications is identified you can address the security concerns of unmanaged applications and services with the employees that are using them and take the opportunity to discuss viable alternatives or procedures.

Unmanaged IT assets that continue to pose an unwanted hazard can be blocked using software that prevents access to unauthorized websites and applications until they can be adequately reviewed and considered for official adoption.

Learn More: How to Track Application Use With BrowseReporter

USB Control Software

Get My Free Trial Learn More

To prevent the use of unknown data storage hardware that could be used to exfiltrate sensitive data such as intellectual property and records that contain personally identifiable information, you can use security software to disable unauthorized USB devices (flash drives, external hard drives, etc) from connecting to endpoints on your network.

Cybersecurity Training & Policies

Employees using unauthorized software and hardware are typically not doing so maliciously; it is more likely that they do not realize the cybersecurity risks of the unvetted tools they use.

An important step in tackling shadow IT is to ensure that your workforce is well educated about the dangers posed by unmanaged assets as well as their responsibilities for working safely with the technology they use in their workplace.

Free Template

Employee Internet Usage Policy

Paper document that says "Internet Usage Policy"

Download this FREE acceptable use policy, customize it, and distribute it to your employees to set a precedent for the acceptable use of the internet in the workplace.

Offer Suitable Alternatives

A man types on his laptop keyboard. A bright light with a lock icon shines in front of the screen.

A key motivator for the use of unvetted tools is that the current suite of options offered by the organization does not meet the needs that their shadow alternatives are being used for.

Suppose the existing technology that is available to employees creates a productivity bottleneck. In that case, they are likely to continue using alternatives that better meet their needs in an effort to improve the efficiency and ease of their workflow.

To ensure that new technologies are used safely, it is worth considering an official adoption that can be better monitored and managed by the security team.

Encourage employees to be comfortable with being honest about the technologies they are using by establishing a method for them to report unauthorized software and hardware usage without the fear of disciplinary action.

CASE STUDY
Shady Maple Takes Back Control
Over Employee Technology Use

"When we first saw the employee tracking reports we were totally surprised by some of the behaviors that had gone under the radar" - Kevin Porsche, IT Admin, Shady Maple

CurrentWare’s computer monitoring software gave Shady Maple the insights they needed to ensure their technology was being used safely and appropriately. Read their case study to learn more.

Conclusion

The use of shadow IT is inevitable for most organizations. With the right tools and processes, your software asset management plan can mitigate the risks of unmanaged assets by identifying their use, coaching employees on their cybersecurity responsibilities, and offering suitable alternatives that can be safely monitored and managed by your security team.

Dale Strickland

Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gaexp	2 months 11 days 7 hours 3 minutes	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_GY6RPLBZG0	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-6494714-6	1 minute	No description
_gaexp_rc	past	No description available.
34f6831605	session	No description
383aeadb58	session	No description available.
663a60c55d	session	No description available.
6e4b8efee4	session	No description available.
c72887300d	session	No description available.
cookielawinfo-checkbox-tracking	1 year	No description
crmcsr	session	No description available.
currentware-_zldp	2 years	No description
currentware-_zldt	1 day	No description
et_pb_ab_view_page_26104	session	No description
gaclientid	1 month	No description
gclid	1 month	No description
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_ref_domain	1 month	No description
handl_url	1 month	No description available.
handl_url_base	1 month	No description
handlID	1 month	No description
HandLtestDomainName	session	No description
HandLtestDomainNameServer	1 day	No description
isiframeenabled	1 day	No description available.
m	2 years	No description available.
nitroCachedPage	session	No description
organic_source	1 month	No description
organic_source_str	1 month	No description
traffic_source	1 month	No description available.
uesign	1 month	No description
user_agent	1 month	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld685336000000002056state	5 minutes	No description