Shadow IT is a very serious and growing threat to IT compliance and cyber security, and most organizations have no idea how common it really is. This article will examine some of the risks of shadow IT and discuss ways in which organizations can curb it.

What Is Shadow IT?

Shadow IT refers to any software, cloud services, or even hardware that employees are using on your enterprise network without the consent or knowledge of your IT department. Prior to the proliferation of cloud computing, it usually involved isolated incidents where individual employees, generally those with at least some degree of technical acumen, would install unauthorized software applications onto their desktop computers.

Then came the cloud, which brought easy access to a dizzying array of free or very low-cost apps to every employee with a computer and an internet connection. These days, shadow IT nearly exclusively refers to the unsanctioned use of SaaS applications and other cloud services, and incidents are no longer isolated; over 80% of respondents to a survey by McAfee admitted to using rogue SaaS applications on the job. In some cases, entire teams or departments are discovered using the same shadow app.

Yet most organizations have no grasp of the scope of shadow IT usage among their employees. Respondents to a Cisco survey of CIOs estimated that their organizations were using an average of 51 cloud services. The actual average was 730.

The Road to Cyber Attacks Is Paved with Good Intentions

Most of the time, employees’ motivations for using shadow IT apps are not malicious or negligent; in their view, they are using tools that allow them to do their jobs better. When asked why they chose shadow apps over enterprise-approved alternatives, respondents to the McAfee survey largely cited productivity reasons.

Unfortunately, despite employees’ best intentions, shadow IT poses serious risks to enterprise cyber security and compliance. Shadow apps that haven’t been vetted by the security team may have security or compliance issues that users are unaware of, especially in highly regulated industries such as finance and healthcare or in any organization that must comply with the GDPR. The IT department also has no oversight of the application; they cannot monitor access logs or ensure that regular backups are performed or that important software updates are applied.

Additionally, shadow IT usage is not confined to SaaS applications. Individual employees or groups may set up their own cloud servers and use them to store and process enterprise data, opening up the organization to data breaches and compliance violations.

Tips for Managing Shadow IT

Visibility into shadow IT usage is the first step to controlling it. While discovery of shadow IT apps and services remains a challenge, a number of technical tools have emerged to make the task easier. At MSIgnite 2018, for example, Microsoft announced a number of updates to its Productivity App Discovery Tool in Office 365 to help enterprises identify which shadow IT apps are in use and which employees are using them.

However, effective management of shadow IT usage doesn’t end with deploying a visibility tool. Organizations must develop solid policies and governance that address the security and compliance issues of shadow apps without quashing employee innovation:

* Develop a clear, consistent set of policies on the use of unauthorized apps and services, and make sure your employees understand why these policies are in place. Provide real-world examples of the dangers of using rogue apps.

* Be willing to train new employees on enterprise-approved apps as part of the onboarding process. Many employees who use shadow IT apps do so because of their comfort level with the shadow app; they may have used it at a previous job and are unfamiliar with the enterprise-approved alternative.

* Open the lines of communication with your employees. Keep apprised of the apps they are using to do their jobs, what they like about them, and what they feel could be improved. If enough employees bring up the same issue or complaint, make it a priority to deliver an enterprise-approved solution. In some cases, your organization may wish to work with the shadow app developer to create a version of the software that meets your enterprise’s security and compliance requirements.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.