Shadow IT is a relatively new term that should be on business owners’ and executives’ minds these days. Shadow IT refers to IT systems and applications deployed and used within an organization without explicit approval from management or the IT department. Hot take: your organization probably has Shadow IT and you may not even know it! Recent Everest Group research shows 50 percent of technology spend in organizations flies under the radar of business owners and IT managers. The realization that half an organization’s budget might be spent on software applications and IT systems that teams, groups, and business units are purchasing (and using) without the IT department’s knowledge, reveals why Shadow IT is a hot topic that needs to be addressed from a cybersecurity perspective. Here’s a few important points to keep in mind about how collaboration tools for staff are implemented, keeping them “out of the shadows” and part of a structured plan and process:
- Document all apps that access your network and their access to key data.
Anytime your IT department isn’t aware of various apps or software that are being used within your organization, the result is more potential security gaps and endpoint vulnerabilities that hackers and cyber criminals can potentially seek to exploit. Moreover, PC-installed apps used in any shadow IT ecosystem will require updates and security patches at some point, and there’s no guarantee that employees using those apps will take the time and effort to do so, leaving critical data and systems at risk. Also, giving apps access to key assets can easily render your entire network vulnerable. There’s also no monitoring the transition of access to key data stored in a shadow IT app should the employee change jobs. Because IT doesn’t know an employee has been using a separate CRM app to manage contacts, for example, it’s impossible to take normal protocols such as revoking access and changing passwords.
- Develop internal policies and procedures (including penalties) and provide ongoing education of staff to help curb Shadow IT issues.
Most employees who use shadow IT apps do so without intending to endanger their employers. They simply aren’t aware of the significant risks. Employees might choose to store work-related files on their personal Dropbox, for instance, which might not have the same level of security settings as approved apps. And in the event of a breach, security administrators won’t be alerted as to the full potential scope of the threat, leaving the company unsure of what data has been compromised and when. The use of shadow IT apps on smartphones and tablets is likewise problematic. When an employee stores confidential data on an unapproved app which they use on a mobile device, it creates a situation where data is constantly synchronized between a secured device (a work-issued laptop, for instance) and an unsecured device (i.e. personal smartphone). Indeed, we’re all guilty of glossing over the various permissions we grant our mobile apps.
- Create an approved IT vendor list that all employees are aware of and have access to.
If employees and managers would like to begin using an app not currently on the list, encourage them to submit that vendor to your IT department where you’ll be able to conduct proper vetting and configure the app with proper security protocols. When onboarding a new vendor, formulate a breach notification plan in the agreement so that you’ll both be able to take swift action in the event of an actual cyber attack.
- Arrange for an audit of all current technical assets and capabilities to minimize risks presented by shadow IT usage.
Any hardware used by employees should be tagged and be made traceable, when possible. More importantly, take stock of apps that anyone in the organization is using to handle work-related data. Only 28 percent of IT leaders are actually using some kind of SaaS management tool to get the kind of visibility into Shadow IT that’s necessary to adequately protect their data and systems, according to a recent survey from Torii. This despite IT leaders saying that security is their number one concern for 2019.
Ensuring all of the points on your organization’s cybersecurity spectrum are covered can seem overwhelming. We can help illuminate various vulnerability points so that less shadows lurk within your organization’s IT. For more details, read “Why Shadow IT is the Next Looming Cyber Security Threat” in full, here.