Shadow IT and the Hidden Risks to Your Business

What is Shadow IT?

“Shadow IT” refers to the increasing practice of users accessing and processing an organisation’s data using non-corporate devices, software packages or cloud services, without having gained corporate approval, and without the technical support of the internal IT function.

The most commonly seen form of Shadow IT originates from an individual user identifying a cloud-based “Software-as-a-Service” (SaaS) application which they believe suits their own needs and which can be easily signed up for. Typically, these can be downloaded and installed in a matter of moments from any device which has an internet connection. This can happen so swiftly that the organisation may not know of its existence and use for some time, a period during which the business remains exposed to multiple risks.

Not all Shadow IT can be categorised as the use of unauthorised cloud services. Organisations must therefore maintain awareness of privately-owned hardware devices, including laptops, smartphones and USB media, all of which could potentially be used to access and download corporate data to a destination outside of the organisation’s boundary of security controls. Whilst technical controls may exist for “Data Loss Prevention” (DLP), these need to be extensively configured and rigorously enforced to be effective. It only takes for the user to install a single rogue app onto their personal smartphone for the whole device to be put at risk – which in the worst of cases may include corporate data files, emails, attached content and much more.

It’s important to understand why Shadow IT has been allowed to become such a significant risk. In today’s world of Agile and continuous software development, users are likely to be challenged by corporate restrictions and seek out new, innovative solutions to resolve their immediate tasks. It is likely that existing corporate governance and approval cycles will frustrate them by taking too long, or it may be that Internal IT functions are not trained or experienced to understand new technologies that have been identified.

What are the risks of Shadow IT?

1. Data protection challenges: from not knowing when corporate and personal data is being transferred outside the organisation and having no visibility of the organisational and technical security controls in place by unauthorised third-party providers.

2. Data loss or theft: from not understanding how many copies of sensitive datasets have been copied to personal USB devices, or backed up to cloud-based storage providers (e.g. Dropbox, Google Drive). How long into the future will such instances persist?

3. Increased technical risks: while an organisation should have confidence in its own IT estate, how can they evaluate an equivalently robust approach in an external organisation which it has not had an opportunity to assess?

4. Financial commitments: the increased use of SaaS applications and cloud storage is likely to present financial surprises to an organisation. Users are known for scaling the storage they use, without ever taking stock of what can be deleted.

5. Compatibility: frequently, organisations who discover Shadow IT challenges find themselves with different approaches to the approved methods of working. This is likely to cause a disparity between similar datasets in different locations.

How a Shadow IT policy can help you mitigate the risks

By creating a workable Shadow IT policy you can help your organisation to mitigate risks without stifling business agility or innovation. The following elements should be considered when developing your Shadow IT policy:

1. Firstly, colleague apathy of the risks from Shadow IT should be addressed. A clear briefing explaining the risks should be provided, whilst also providing a framework whereby their individual IT needs can be presented and promptly assessed to help potential Shadow IT options become integrated back into corporate governance.

2. Review internal governance policies and procedures to ensure that fast-moving employees can be supported with rapid (yet effective) decision making. Consider creating a template that all users can access and use to provide the necessary information required to facilitate decision-making.

3. Assess whether existing technical monitoring and IT audit solutions are robust enough to identify the use of unauthorised devices or cloud services quickly. If an employee refuses to follow guidance, identifying their misdemeanours promptly will help to reduce the risk exposure for the organisation and its data.

4. Ensure that proposals for new technologies are subject to an acceptable risk management approach in the same way as the rest of the organisation’s assets. Remember to review the risk position of existing organisational assets (e.g. data) which may be processed by the newly proposed technology.

5. If a decision is made to permit the use of personally owned devices, ensure an Asset Management Policy mandates minimum controls for accessing the device, encrypting its data, reporting any security events arising from its use, and ensuring it is presented for inspection before the asset is disposed of and/or the employee leaves.

6. If selected to be used, consider how the new technology can be supported by Internal IT. Further, understand the extent to which it can be actively monitored, and how data and configurations can be recovered and/or securely deleted when the technology is subsequently deemed to be no longer required.

Having a workable Shadow IT policy, combined with an agile approach to assessments, will allow an organisation to swiftly approve the use of the new technology, authorise its use in a restricted or carefully controlled manner, or refuse and justify why the proposed technology is not to be used.

Looking to the future, new and emerging technologies may improve the security, efficiencies and agility of an organisation if introduced in a controlled manner. Implementing and communicating sensible activities such as those above will encourage an open-minded approach to the adoption of user-requested technologies – new technologies that might otherwise have become part of the Shadow IT problem if left unaddressed.

Before embracing or restricting Shadow IT you should be considering the overall security risks to your organisation and not overlook the impact of training and awareness in helping your employees understand the risks. Our cyber security e-learning course is a cost-effective way to ensure your staff understand the key principles. There are also third-party certifications that assess your organisation’s systems and processes – these range from Cyber Essentials and Cyber Essentials Plus to ISO 27001. If you’d like to discuss any of these options, please contact us today or request a quote here.