Shadow IT can be potentially harmful to a company’s security protection, because it exists outside a company’s typical software and service approval and audit workflows. Shadow IT refers to information technology projects, applications and software used and managed outside of—and without the knowledge of—an IT department.

Employees unfamiliar with the way software works can easily end up giving a platform access to far more data than intended. These same users will not necessarily delve deeper into data storage service level agreements (SLAs) or encryption methods. They also may not be aware of a platform’s overall poor security. Many employees may not even be aware their activities are risky.

In fact, improved productivity continues to be among the top reasons users choose these types of unsanctioned solutions. Employees looking to increase productivity may begin with very basic information, such as data storage, that doesn’t pose a risk, then later include personally identifiable information (PII) typically saved in internal systems alone. Yet, there’s no guarantee that any of the software or applications are being properly updated or are meeting companies’ cybersecurity policies.

Shadow IT growth has been attributed in large part to the quality of consumer applications in the cloud, such as file-sharing apps and collaboration tools. Smartphones and tablets are also culprits of many shadow IT risks.

Amid the COVID-19 pandemic, the use of unauthorized software and products is also anticipated to increase by 65%. As more organizations continue with a work-from-home model for their employees, communication and data sharing has changed. Plus, the use of VPNs, video conferencing services, jump boxes and proxies are giving security IT teams more to be concerned about.

Yet, finding this hidden data can be difficult if you don’t know where to look. Here are some things to consider when addressing shadow IT concerns.

Discover Reasoning for Usage

Consider seeing Shadow IT as an opportunity to leverage employees to identify applications they want to use. Learning why unapproved tools are used can help central IT teams and the organization provide an approved alternative or seek to include the used product into the company’s platform.

Simply ask team members about the products and services they’re currently using. A quick response survey can give employees the opportunity to report platforms used and include reasoning for the decision. This doesn’t have to be a major project with a formal justification requirement to be effective.

Ideally, every employee would participate. If you’re already familiar with your organization’s typical response rates and feel they’ll be far too low to gather enough data, an automated cloud data detection service might be an option for discovery.

Create Security Awareness Throughout Your Organization

Shadow IT users may have chosen an unapproved service or platform because they weren’t aware of approved options and how to find them. It’s also likely that they lack understanding of the risks associated with shadow IT.

The goal should be to create a company culture of security awareness and educate non-technical employees on shadow IT and the risks. Providing cybersecurity training programs is an effective way for team members to learn about their responsibility to the company’s overall security. Comprehensive training will also educate employees around the risks of data loss and unintended exposure.

Employees should know how to recognize and avoid cybersecurity threats, evaluate a potential solution and where to go for advice. Additionally, providing compelling examples of how unchecked software usage damaged other organizations and individuals can offer memorable reasons to avoid using varied platforms at will.

Set Up Software Review and Approval Solutions 

Once you have data on the unapproved software and services, consider reviewing popular tools for fitness within your organization. Approve solutions that work and forbid the ones that aren’t a good match. Clearly and directly communicate with employees on reasons why specific products are not used and offer solutions to meet the needs of business units currently utilizing the forbidden services. Additionally, make discovering software and services already covered under an organization-wide license easily accessible to all team members.

IT teams should also create best practices on how employees should use external products and policies should be implemented before deploying new technology.

Choose a Path That Provides Solutions for All

Shadow IT usage can be tough to uncover, and the reasons for choosing unapproved solutions can be varied. Discovering unsanctioned solutions within your organization is a first step to begin minimizing data loss and offering suitable replacements. Shortening the time to review software solutions already in use can be another option to quickly address the issue and provide a timely alternative. Educating employees on approved and already available solutions can help them make better decisions around the software and services they need to be productive.



More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…