Light Dark
November 23, 2020 By David Bisson 3 min read
Software Vulnerabilities
Application Security

Shadow IT can cause big problems for cybersecurity. The trouble is in the name: these connections exist in the shadows outside of IT (information technology) and security personnel’s knowledge.

So, what can IT leaders do to address it in a time of growing remote workforces?

What is Shadow IT?

Shadow IT consists of information technology connected to the network without the IT department’s knowledge or approval. Maybe people from other departments bypass IT personnel and connect unapproved assets. Shadow IT could be hardware, software, web services or cloud applications that do not fall under the IT department’s purview.

Employees bring shadow IT into the organization for a variety of reasons. They might feel that approved software and services are less effective than alternate resources. Those sanctioned solutions could also be more difficult to work with, in employees’ minds. Finally, there’s simply the chance that people don’t understand the risks that come with connecting shadow IT to the network.

Risks of Shadow IT

Shadow IT comes with a fair share of cybersecurity costs to an affected group. For one, IT personnel can’t monitor these connected devices if they don’t know about them. These products thereby increase attack surfaces without allowing IT to take defensive measures. If IT doesn’t know the product exists, they can’t apply updates to fix security risks. These gaps open space for malicious actors using those devices to gain access to systems and steal data.

Shadow IT could also threaten data security in the future. This is due to the fact that these devices are wholly dependent on whoever purchased and deployed them. When that person leaves, the group won’t know that they might have used an unapproved customer relationship management (CRM) app to store customers’ contacts, for example. That person could use that lack of visibility to maintain their access to that data long after they’ve left and possibly joined a rival effort.

Costs Hidden in Shadows

Shadow IT costs are not limited to the realm of cybersecurity, either. There are also financial costs to consider. First, you could run into issues stemming from their shadow IT when attempting to comply with data protection rules. Take the European Union’s General Data Protection Regulation (GDPR), for instance. Under the standard, in-scope entities must create and maintain a record of all of their internal data processing and be prepared to show those records to the relevant authorities upon request. But they can’t do this if they don’t know about all of the assets that are connected to their network. Such a lack of insight could result in them incurring large fines for a lack of control over their systems.

There’s the matter of being efficient, as well. Employees who bring unapproved IT devices into the organization might feel like they’re making their jobs easier and saving money by boosting their productivity. But the opposite might actually be true. The reality is that the group now has technology for which it did not plan. At best, these solutions could replicate the functionality of existing ones and thereby contribute to the financial costs of maintaining an expanded network. At worse, they could conflict with existing solutions and disrupt work, thereby reducing overall profitability.

How to Minimize Shadow IT in Your Organization

Shadow IT matters a lot when so many employees are working from home. IT personnel do not have direct access to employees’ devices, so they can’t have complete knowledge of what employees are necessarily installing on their home networks. That’s why IT needs to take steps to minimize shadow IT in remote work environments.

As the first step in this process, leadership needs to take responsibility for addressing shadow IT. This will give security and IT teams the buy-in they need to really minimize the risks that come with shadow IT.

One of the best ways IT teams can go about highlighting the dangers of shadow IT is through a security awareness education program. As an example, IT personnel could start with simple checklists that cover fundamental practices at the organization. In particular, they could draw upon training modules that remind employees about existing policies and highlight the official channels for deploying new IT devices and assets.

Complement investment in training with technical controls, too. For instance, IT teams could turn to managed cloud access security brokers (CASBs) to gain visibility into their cloud environments. Managed CASBs detect all cloud services within the group, creating a complete risk assessment for each cloud service and keeping track of usage within those environments. Those solutions should include network traffic analysis tools that are capable of scanning suspicious or unapproved data flows. Additionally, organizations might want to consider abiding by the principle of least privilege so as to limit what services and data employees can access from the beginning as well as building a Zero Trust network in their remote work environments.

Out of the Shadows

Supported by C-suite leadership, you can bring shadow IT into the light with security awareness training around relevant policies and robust technical controls. These efforts will help to minimize the chance of shadow IT entering the network going forward.

David Bisson
Contributing Editor

More from Software Vulnerabilities
September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature