Shadow IT refers to information technology (IT)—systems applications, software, or even hardware—used by an individual or department within an organization without the approval or oversight of the organization’s security or IT teams.
The term “shadow IT” was coined to describe the idea that unauthorized IT activities can occur in the shadows, outside the realm of control of a company’s known IT infrastructure. Shadow IT can have several faces: personal devices used for work, employees using shared credentials to access apps or other IT resources, system changes made without the right approval, and the use of software applications or cloud services outside of IT approval are just a few examples.
Employees may turn to using shadow IT for a more favorable user experience, to avoid the current IT approval process, or to simplify existing workflows; however, it poses significant risks to any organization.These risks include compromised cloud security, data breaches, compliance issues, and an overall difficulty in maintaining cohesiveness across IT departments.
Examples of Shadow IT
The most common types of shadow IT applications include:
- The use of software as a service (SaaS) apps outside of the procurement process within the organization
- Creation of cloud workloads using personal accounts, these workloads can include virtual machines, databases, cloud-based applications, and containers
- The use of public cloud services such as Dropbox, Microsoft 365 and Google Drive
- Communication apps such as Slack, Skype and Zoom used for file sharing, messaging and exchange of sensitive data
- Leveraging of personal devices by end users such as smartphones and laptops for business use
Benefits of Shadow IT
While the downsides to shadow IT are plentiful, there are some benefits that employees might receive by using these technologies:
- Employees may use these mechanisms to gain faster access to resources, reducing inefficiencies in the current administrative workflows
- There may be reduced costs due to the use of free or more affordable cloud based services such as cloud storage and SaaS apps
- Employees may use third party apps that have functionalities not available through IT approved systems to bolster productivity
- Employees may want to use third party apps that have functionalities that are not available through IT approved systems
Risks of Shadow IT
The use of shadow IT within a company can result in various security risks:
- Unauthorized access to data: Shadow IT creates a risk of unauthorized data access, opening the door to insider threats, an expanded attack surface, and potential data loss, all of which compromise the company’s overall data security.
- Introduction of malware: Through the use of shadow IT, companies can find themselves more vulnerable to malware and ransomware attacks. This can be intentional or unintentional, but having systems outside of the visibility of IT security teams can allow for threats from bad actors
- Cyberattacks and other cybersecurity risks: Hackers can often make their way into an organization’s ecosystem through shadow IT. Without protective measures for these systems like access controls, intrusion detection, and firewall mechanisms, security gaps emerge that hackers can exploit.
- Decreased compliance: Many organizations are subject to strict data protection regulations specified under compliance frameworks likeHIPAA and GDPR. These regulations enforce strict rules regarding what companies can do with private data and other sensitive information. Leveraging shadow IT and unauthorized apps can result in compliance violations.
How to mitigate shadow IT risk
Tackling shadow IT is a never-ending project. Ultimately, shadow IT is a human risk; if your company hires humans, shadow IT exists within the organization.
Employees may be tempted to use unsanctioned devices and SaaS applications in the name of efficiency and productivity. Implementing security policies that improve user experience and make it easier for employees to get access to the tools they need—like elevating help desks, frequently evaluating and improving IT performance, and maintaining an open line of communication between employees and IT service providers—will help decrease the frequency and threat of shadow IT activities.
Other proactive measures teams can take to mitigate associated risks include:
- Maintaining a detailed inventory of IT infrastructure and updating it on a regular basis
- Running inventory or asset management software to identify new devices on a recurring basis
- Utilizing third parties orsecurity solutions specializing in shadow IT application detection
- Establishing a protocol regarding the handling of shadow IT activities
Taking a risk-based approach to shadow IT and prioritizing detection and monitoring for high-risk systems will help mitigate the attack surface and data leaks associated with unauthorized IT activities.
Summary
Shadow IT—the use of IT systems and tools that haven’t been approved by an organization’s IT or security group—poses a serious risk to organizations. A proactive and always-evolving approach to monitoring shadow IT activities is necessary to prevent security risks.
Decreasing friction between IT service providers and employees and putting security measures in place to detect, monitor, and mitigate shadow IT are the most effective ways to minimize the threats that arise.
