When the Pennsylvania health department’s third party IT management company Insight Global announced that a data breach had exposed the personal information of 70,000 Pennsylvania residents, it was able to trace the origin of the breach to employee Google accounts that shared information using an “unauthorized collaboration channel.” Although the health department at the time confirmed that they could not determine any misuse from the information, the incident nevertheless highlights the risks associated with shadow IT, or unauthorized use of applications and devices that circumvent established security protocols of an organization.
Since 85% of global companies have reported being impacted by cyber incidents and 11% attributing them to the unauthorized use of shadow IT, organizations must have proper best practices in place to both identify and mitigate against these risks.
What is Shadow IT?
Shadow IT is the use of programs and services by employees without the explicit permission of IT. These software, hardware or cloud programs, services and applications may not be subjected to the usual IT best practices (such as strong user access, encryption, etc) of the organization and therefore be at a greater risk for cybersecurity and other incidents. Examples of common shadow IT are the use of personal email accounts for work, BYOD devices, cloud storage services such as DropBox or GoogleDrive, and communications tools such as WhatsApp or Slack for work purposes.
| Examples of Shadow IT across different | |||
| Hardware | Software | Cloud Applications | Services |
| IoT devices (e.g. wireless printers, medical devices, smart cameras) | Messaging apps (e.g., WhatsApp, Discord) | Project management platforms (e.g., Trello, Monday.com) | CRM tools (e.g., |
| BYOD (e.g. laptops, tablets, mobile phones) | Open source software (e.g., GIMP, Linux) | File sharing (e.g., Dropbox, WeTransfer) | Social media management tools (e.g., Hootsuite, Buffer) |
| USB disks | Browser extensions (e.g., Grammarly, LastPass, ClickUp) | Personal email accounts (e.g., Yahoo, Gmail) | Cloud computing environments (e.g., Azure, Google Cloud, AWS) |
Why Employees Resort to Shadow IT
Let’s take a concrete example of a company that is starting to scale, gaining new customers and hiring new employees that take on a greater scope of responsibility within and across different departments. The marketing and product department would like to start a new project and is looking to collaborate together through a project management tool.
They have turned to a shadow IT solution which delivers many benefits, including:
- Increased productivity. Employees find that gaining IT approval for a specific tool is slow, requiring jumping through many bureaucratic hurdles . Meanwhile, the deadline for their project is quickly approaching. As a result, they turn to one of many easily available shadow IT productivity tools on the market instead of ones approved from their IT department.
- Flexibility. Many legacy tools don’t suit the modern workplace and may lack the functionality and integration that your employees need to be as productive as possible. For example, a cloud-based shadow IT tool may have more functionality as a remote tool accessible from mobile, desktop or tablet.
- Ease of use. Many of these shadow IT tools are user-friendly and familiar to your employees (can be used on mobile, desktop and tablet) and enable quick cross collaboration with different teams.
The Hidden Threats of Shadow IT
Although these shadow IT tools offer significant benefits, they also pose security risks for IT teams. The IT approval process is designed to take these different risks into account, taking into consideration the need to comply with various regulations, current best cybersecurity practices, and any internal policies.
The hidden threats of shadow IT can be categorized into several different components that include:
- An increased attack surface that makes it more challenging to monitor as they lie outside the organization’s security perimeter.
- A lack of security controls because shadow IT does not adhere to specific security protocols agreed on by the IT department.
- Data leakage and non-compliance through the transmission of sensitive data via unsecured devices, applications and software that does not adhere to basic security standards.
Let’s discuss each of these components in greater detail.
Increased Attack Surface
Shadow IT expands the attack surface of your organization, exposing it to more potential entry points for cyberattacks and making it more challenging for your organization to secure. For example, when employees use unauthorized file sharing or cloud services, organizations cannot monitor the data they share, increasing its potential for data leaks or unauthorized access. In addition, when shadow IT such as personal devices aren’t officially secured by the IT department, they don’t necessarily have enterprise-level anti-virus, firewalls or encryption in place and offer an additional device, location and potential vulnerability for attackers to exploit.
Lack of Security Controls
Devices, applications, software and hardware that your IT department has approved have undergone standardized security controls, including adherence to specific encryption, multi-factor authentication, firewalls and secure configurations. This standardized approach helps organizations more easily monitor and defend their systems and network against unauthorized access, phishing attacks, and malware. Shadow IT often lacks even basic security controls these IT departments carefully implement.
Data Leakage and Non-Compliance
Unsecured devices and networks are easier for attackers to potentially intercept or launch man-in-the-middle (MITM) attacks, allowing data shared to be exposed to leakage or loss. Even authorized access of sensitive data can be leaked if done though unapproved cloud storage or other unsecured applications. These unauthorized tools often do not comply with industry regulations such as GDPR, HIPAA, or PCI DSS, leading to potential fines and legal consequences, such as the violation of data privacy and protection laws. This is true even with internal solutions from different departments in the organization who lack knowledge of data protection laws and compliance.
Common Shadow IT Scenarios and Risks
As the use of unauthorized devices, software, and applications increase, so do the risks. While 41% of employees used, modified, or created tools without explicit approval of their IT department in 2022, that percentage is estimated to increase to 27% by 2027.
These common shadow IT risks can be divided into several categories:
- Unapproved cloud services that transmit sensitive data and information through technology connected to your network or system.
- Personal devices and BYOD that increase the attack surface and make it easier for malicious actors to install malware or leak data.
- Unapproved SaaS tools which help solve pain points for businesses of all sizes across industries
Use of Unapproved Cloud Services
Unapproved cloud services such as WhatsApp or store sensitive customer data in CRMs that do not adhere to relevant compliance required by the organization, posing legal and financial risks in addition to security risks. File sharing services that share files with “anyone with the link” can easily transmit data to unwanted users. Sensitive documents or information that is publicly available on cloud storage is at particular risk for leakage or exposure.
Personal Devices and BYOD (Bring Your Own Device)
Employee use of mobile devices, laptops, and tablets often have frequent unpatched vulnerabilities or lack endpoint security, which is why IT departments are unable to approve them. In addition, when these devices are connected to the organization’s network and system, malicious threat actors can exploit them to gain unauthorized access, and even move laterally throughout the network to execute larger scale and more sophisticated attacks.
Unapproved SaaS Tools
Unapproved SaaS tools, such as those used for employee collaboration or project management, are next to impossible for IT teams to monitor or enforce security measures. It cannot monitor access logs or data storage, apply access controls or perform IT audits, leaving it with little visibility and control over sensitive data and information.
Why Traditional Cybersecurity Measures Aren’t Enough
Most organizations focus on perimeter-based security, such as their internal networks and systems. Since shadow IT operates outside of the traditional perimeter, they do not provide the visibility needed to ensure proper security: detection, alerting, and monitoring of cyber threats in real time.
How to Mitigate the Risks of Shadow IT
Reducing the cybersecurity risks of shadow IT across your organization requires a comprehensive approach that combines technological solutions with human resources to drive a culture of change. However, through employee awareness and education, IT governance and policy, and vendor management, organizations can mitigate the risks of shadow IT to their infrastructure.
Improve Employee Education and Awareness
Employees need to understand the risks involved in using their own devices, with recent examples and consequences. They should also be taught best practices for mitigating against these risks, which can include strengthening passwords and other user access controls, POLP (principle of least privilege) practices, and promoting a general culture of cyber awareness, especially for non-technical employees.
After proper employee training, employees should:
- Know what to do if they identify suspicious activity
- Be aware of the latest threats, especially those related to shadow IT
- Understand the importance of IT-approved tools and how they help reduce security gaps
The overall goal should be to foster greater employee accountability in your organization in managing shadow IT.
Implementing IT Governance and Policy
The IT department should also provide clear frameworks for approving tools and technologies employees need, which should include a new software approval process that is both clear, quick, and ensures adherence to the relevant data protection and compliance standards. It should also implement proper security controls and policies for all approved technologies that should include monitoring and reporting, employee awareness, and regular IT audits for unapproved tools.
Vendor Management
The organization should have a process for evaluating, onboarding, and monitoring any third-party services, as well as the mitigation strategies it might use to reduce or eliminate risk during an attack. Without a proper vendor management process, employees may turn to unapproved tools and technologies instead. Vendor management can also be implemented with the help of various technologies that also help with real-time monitoring and detection (cloud access security brokers, endpoints detection and response, etc). The overall goal of vendor management should be to develop collaboration between the third party and your organization to acknowledge and minimize the risks related to shadow IT.
Invest in Real-Time Monitoring and Detection
The most important step in managing shadow IT resources is their discovery, which can be done with tools such as a networking monitoring system, cloud access security brokers (CASB), regular security audits and endpoint detection and response (EDR) systems. Only after this can the organization assess the risks each shadow IT resource exposes them to and its risk tolerance towards each resource. After continuing this process, the organization should at some point have enough experience and data knowing which tools are acceptable or low risk and which expose the organization to threat levels it would prefer to avoid. Employees should be able to offer ideas for alternative tools that pose less risk, and the list of “approved” tools should be continually reviewed and updated as necessary.
Implement Shadow IT Audits
Shadow IT audits are a critical component of identifying, evaluating, and addressing unauthorized cloud services, SaaS tools and devices outside of the IT department’s knowledge. It is often a mandatory part of regulatory compliance, and should include assessing whether the proper data security and privacy controls are being implemented, the strength of the technology’s access controls and identity management, and the efficiency of any employee awareness programs. Based on the findings in the audit, it should include recommendations for improving security gaps related to shadow IT tools in the future.
Balancing Security and Productivity
Proper use of shadow IT is all about enabling IT-approved alternatives that give employees the functionality they need while maintaining security. This controlled flexibility should also ensure compliance with relevant governance, security, and regulatory policies. By streamlining the IT approval process and creating an efficient approval process for new tools and services, companies can reduce the chances that employees resort to shadow IT out of frustration with slow or bureaucratic IT systems.
The Future of Shadow IT and Cybersecurity
The rise of remote and hybrid work have added to the challenge of shadow IT, with employees connecting to their organization with their own home devices and networks. As a result, organizations are now increasingly responsible for proactively monitoring and mitigating risks associated with the use of these unauthorized tools outside their corporate networks. Many have turned to automation and artificial intelligence (AI to help monitor and detect security risks. For example, AI and machine learning can be used to detect unusual user behavior, such as logins through a suspicious location or excessive attempts at passwords, and set up responses in advance to respond to these risks. These tools also help organizations monitor risks at scale, as many new employees may onboard suddenly, presenting many shadow IT threats at once to the network and system.
Shadow IT and Cybersecurity Solutions
With 80% of employees adopting shadow IT tools without IT approval, this threat is only going to increase. Organizations should adopt both proactive and collaborative approaches with third parties and employees to detect and mitigate these risks while acknowledging the need for increased productivity for employees to get their job done. Solutions that map the supply chain and detect hidden third-party threats, regularly monitor these third-party threats, and implement AI technology to foster greater collaboration between suppliers and organizations are an essential part of building this proactive strategy.
Want to get started reducing cybersecurity threats from shadow IT to your organization? Contact Panorays to learn more.
Shadow IT FAQs
-
An organization’s shadow IT policy might include sending a request form to use any new technology to the IT department, who would evaluate it in terms of its risk and how the tool adheres to compliance and security. The policy might also rely on various tools such as network monitoring, cloud access security brokers (CASBs) to detect shadow IT use. Employees would also have to register all of their personal devices with the IT department and install any applications required by the IT department (e.g. firewalls).
-
Yes, shadow IT poses a threat because the IT department is either not aware of its use or does not have a policy in place to manage its security. As a result, it poses security risks to your organization and is often a target of cybersecurity attacks.
-
To avoid or mitigate shadow IT, organizations should improve employee awareness and education of the risks involved, implement IT governance and policy and shadow IT audits, conduct regular vendor management, and invest in real-time detection. All of this must be done with the goal of creating an effective balance between security and productivity.
