Shadow IT – plugging a gaping security hole

As technology proliferates, so everyone becomes an IT expert. Where once having personal access to IT meant a shared PC in the corner of the living room, now there are a billion more mobile connections than people in the world, according to GSMA Intelligence, while a report from Deloitte puts global smartphone penetration at 80%.

With this access to digital tools comes increased expectations of what technology can and should do for the user – if it does not deliver, users will look elsewhere, even at work. IBM recently found that one in three employees at Fortune 1000 companies regularly use apps that haven’t been explicitly approved by internal IT departments.

They are doing this because, in the words of Peter Bendor-Samuel, Founder of the analyst firm Everest Group: “It comes down to enterprise IT not serving business needs well enough.”

But it is not simply related to individual or small teams of employees using their own devices or apps as workarounds. The growth of public cloud providers, where scalable resource can be acquired with a credit card and put through operational expenses, is allowing business units looking for fast access to large amounts of compute without the hassle and timescales of budget sign off to contribute to this phenomenon of shadow IT.

Unintended risk

At a time when the likes of IDC predicts that global spending on security hardware, software and services will top $103 billion in 2019, shadow IT poses a significant risk to enterprise technology. Much of the budget IDC identified is going on external prevention – unified threat management, firewalls, intrusion detection and prevention. Yet with software, often via the cloud, and hardware brought into the business and using its data without the knowledge of corporate IT, business units could be undermining their own defenses from the inside.

Yet this is not new. Back in 2016, Gartner predicted that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources. So why aren’t organizations doing more to stop it?

Part of the challenge lies in the sheer breadth and scale of shadow IT. Everest Group estimates that half of technology spend is on non-approved services and hardware. To cut that off completely could, quite simply, paralyze an organization and send any remaining rogue IT projects further underground. Yet to allow them to operate as before increases the risk of an attack occurring via an unapproved app, or of data being stored or accessed incorrectly, exposing the organization to potential breaches of data privacy regulation.

Education and collaboration

There is an opportunity to use the discovery of shadow IT as a way to identify processes and services that need revising to better suit the needs of the business. As an article in Harvard Business Review states, IT can learn a lot by taking “an open-minded approach and successfully work with the rogue unit to help secure data, standardize APIs and ultimately assemble solutions that combine internal and external services.”

However, this should not mean letting people off the hook. Once the gaps have been identified, it is critical to educate employees at all levels of the risks of shadow IT. Policies and procedures need to align with this education program, acknowledging why people feel the need to find workarounds, while underlining the problems that it can lead to.

It is also a learning process for IT, however. There needs to be an acknowledgement that the existing way to acquire new technology does not always work. Working with business units to identify the apps, services and hardware that they require, finding the best vendors to work with and then building that into a catalog or internal marketplace means that both sides get what they want. IT can manage a vetted list of providers, ensuring that anything deployed in the corporate network meets relevant regulatory, security, legal and compliance standards, while the wider organization can quickly access what it needs, without unnecessarily involving IT and becoming bogged down in a cycle of ticket raising and sign off.

At the same time, a complete audit of all technology assets is required, so that organizations have a clear view of what’s in use, what’s connected to the network and where the gaps might be. Not only does this provide a greater degree of protection, it also could lead to better or more up-to-date solutions being identified, allowing out-of-date software to be decommissioned and removed from the business safely and securely.

Learning from shadow IT

Shadow IT is a real and critical threat to enterprise security. The size of the issue means that simply shutting down all instances could cause operations to grind to a halt. To use the phenomenon to their advantage, CIOs and IT departments should use it as a learning opportunity, both in terms of where the business is struggling with existing processes and helping employees understand the risks unauthorized technology spend presents. In doing so, they can build a clearer picture of their security exposure, while supporting their companies to have the right tools in place.

Download this advice sheet to find out what six steps you should take to achieve effective threat management and read our brochure on threat intelligence.

Josh Turner
Josh Turner

I am a technology writer with a decade of experience in business, technology and logistics. From starting off my career writing questions for a TV quiz show, I’m now spending my time looking at how the world of business is going digital and transforming a variety of sectors and industries.