Auditing

What are the risks involved in shadow IT

Sachin Raaghav

Apr 2010 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

Introduction

While technology has advanced rapidly, people are still hustling everyday to get their work done. Amid this chaos, employees tend to choose an app they are comfortable using to get their work accomplished quickly and efficiently. But if you tell this to a group of IT administrators, watch them sweat. Their minds will start getting clouded with questions such as:

  • What application are you using?
  • Is it authorized?
  • Why are you putting the company at risk?
  • More importantly, they'll be thinking, "How do I deal with shadow IT?"

What is shadow IT?

Shadow IT is software, hardware, or services used within an organization that is not known to, or monitored by, the organization's central IT department. It's the equivalent of an employee operating a parallel IT set up with unauthorized resources. The use of shadow IT could easily jeopardize an organization's IT security. When this happens, IT admins are left in the dark, unable to monitor activities, or take required actions.

An employee using Microsoft Outlook, for example, instead of the organization’s approved email application, provides an example of shadow IT.

The emergence of shadow IT

The gradual adoption of cloud services across organizations has fueled the emergence of shadow IT. According to Brian Lowans, principal research analyst at Gartner, these unsanctioned cloud services purchases are driving increased risks of data breaches and financial liabilities.

Shadow IT is popular among many employees since it circumvents the time-consuming and tedious procedure of waiting for the IT admin’s approval. Shadow IT emerges when employees exercise a preference over the resources they use to complete their work tasks. Employees utilize third-party resources over their organization’s approved resources due to various reasons, including:

  • The employee has prior experience and expertise with a specific application.
  • That application has better features than the approved applications.
  • The organization has not approved the application to accomplish a specific task. For example, an employee might use Adobe Premiere since there are no other video editing tools offered by the organization.

What are the risks involved in shadow IT?

Employees might not realize that organizations take appropriate and required precautions to ensure data security during the selection and approval process of the resources approved for use.

According to Gartner, one-third of successful attacks experienced by organizations would be on data located in shadow IT resources.

Here are some of the risks associated with shadow IT:

Data vulnerability

When employees use third-party resources to accomplish their tasks, they purposefully or unintentionally open the gateway for data exposure. Any confidential data copied or uploaded to these resources cannot be managed since IT admins lack visibility and control over these applications. For example, an employee working on their own financial documents on the same computer they use for work projects might use a preferred shadow IT application. This exposure could make the information in personal financial documents, as well as the information in work-related files, vulnerable to data exposure since the shadow IT application is not registered with, or monitored by the organization's IT security team.

Collaboration inefficiencies

When employees use different technologies and applications for the same general task, the possibility of collaborating with other members is often affected. For example, an accountant who works on Google Sheets will not be able to collaborate easily with another accountant who is using Microsoft Excel.

Malware

There are occasions where employees use their personal devices, such as smartphones, laptops, and flash drives, to complete their tasks. This paves the way for threat actors to inject malware and ransomware into these personal devices, establishing the groundwork for infiltrating the organization. Personal devices used in the organization's environment are known as BYOD, which stands for bring your own device. BYOD can also play a vital role in the use of unauthorized devices, leading to shadow IT.

Regulatory non-compliance

Data handling is strictly controlled in many organizations. Shadow IT allows regulated data to be moved to cloud-based applications and unauthorized systems where IT admins cannot monitor it. This could result in non-compliance, fines, and a loss of trust among investors.

How do you tackle shadow IT?

It can be challenging to manage shadow IT, but steps can be taken to reduce the risks. Here are some ways to mitigate shadow IT:

Examining the existing shadow IT

IT admins should conduct surveys and questionnaires to determine whether shadow IT exists within their organization. It is necessary to track what resources remote users are connecting to, and to check if their activity is constantly monitored. Consistent scanning and monitoring of unknown devices, applications, and networks is an efficient way to detect any shadow IT. With AD360, you can monitor Terminal Services to look for unusual remote desktop activity from a critical user account, or discover disconnected remote desktop sessions. You also get complete visibility on RADIUS logon activity. You can secure VPN connections to your organizations' network and resources with multi-factor authentication (MFA).

Education and guidelines

Employees need to be aware of the consequences that can occur when using unauthorized resources. Regular meetings, virtual or in-person, should be conducted to educate employees about the dangers of shadow IT. To meet the demands of different employees and departments, IT admins can share a list of approved applications, services, and hardware that they can use to complete their tasks.

Risk evaluation and restrictions

There are several applications and devices that employees use and not every one of them poses a threat. IT admins need to assess whether the application or device is capable of causing any threat to the organization, and they should be able to take the necessary actions, such as blocking a device that contains malware. IT admins should restrict access to any third-party applications that are prone to risks.

Don't work in the shadows

Tackling a problem like shadow IT is not easy, and with an increasing number of employees working from home it becomes even more tricky. There can be hundreds of employees in an organization, and even if one of them doesn’t follow the rules and regulations, they are putting the entire organization at risk. Gartner predicts that by 2025, 50% of large organizations will adopt privacy-enhancing technologies (PET) for processing data in untrusted environments, or multiparty data analytics use cases. PETs incorporate fundamental data protection principles by limiting the use of personal data, strengthening data security, and empowering users. IT admins must ensure that the organization’s security is not compromised by constantly monitoring the employees’ on- and off-network activity, and the use of unauthorized resources.