Shadow IT can cause big problems for cybersecurity. The trouble is in the name: these connections exist in the shadows outside of IT (information technology) and security personnel’s knowledge.

So, what can IT leaders do to address it in a time of growing remote workforces?

What is Shadow IT?

Shadow IT consists of information technology connected to the network without the IT department’s knowledge or approval. Maybe people from other departments bypass IT personnel and connect unapproved assets. Shadow IT could be hardware, software, web services or cloud applications that do not fall under the IT department’s purview.

Employees bring shadow IT into the organization for a variety of reasons. They might feel that approved software and services are less effective than alternate resources. Those sanctioned solutions could also be more difficult to work with, in employees’ minds. Finally, there’s simply the chance that people don’t understand the risks that come with connecting shadow IT to the network.

Risks of Shadow IT

Shadow IT comes with a fair share of cybersecurity costs to an affected group. For one, IT personnel can’t monitor these connected devices if they don’t know about them. These products thereby increase attack surfaces without allowing IT to take defensive measures. If IT doesn’t know the product exists, they can’t apply updates to fix security risks. These gaps open space for malicious actors using those devices to gain access to systems and steal data.

Shadow IT could also threaten data security in the future. This is due to the fact that these devices are wholly dependent on whoever purchased and deployed them. When that person leaves, the group won’t know that they might have used an unapproved customer relationship management (CRM) app to store customers’ contacts, for example. That person could use that lack of visibility to maintain their access to that data long after they’ve left and possibly joined a rival effort.

Costs Hidden in Shadows

Shadow IT costs are not limited to the realm of cybersecurity, either. There are also financial costs to consider. First, you could run into issues stemming from their shadow IT when attempting to comply with data protection rules. Take the European Union’s General Data Protection Regulation (GDPR), for instance. Under the standard, in-scope entities must create and maintain a record of all of their internal data processing and be prepared to show those records to the relevant authorities upon request. But they can’t do this if they don’t know about all of the assets that are connected to their network. Such a lack of insight could result in them incurring large fines for a lack of control over their systems.

There’s the matter of being efficient, as well. Employees who bring unapproved IT devices into the organization might feel like they’re making their jobs easier and saving money by boosting their productivity. But the opposite might actually be true. The reality is that the group now has technology for which it did not plan. At best, these solutions could replicate the functionality of existing ones and thereby contribute to the financial costs of maintaining an expanded network. At worse, they could conflict with existing solutions and disrupt work, thereby reducing overall profitability.

How to Minimize Shadow IT in Your Organization

Shadow IT matters a lot when so many employees are working from home. IT personnel do not have direct access to employees’ devices, so they can’t have complete knowledge of what employees are necessarily installing on their home networks. That’s why IT needs to take steps to minimize shadow IT in remote work environments.

As the first step in this process, leadership needs to take responsibility for addressing shadow IT. This will give security and IT teams the buy-in they need to really minimize the risks that come with shadow IT.

One of the best ways IT teams can go about highlighting the dangers of shadow IT is through a security awareness education program. As an example, IT personnel could start with simple checklists that cover fundamental practices at the organization. In particular, they could draw upon training modules that remind employees about existing policies and highlight the official channels for deploying new IT devices and assets.

Complement investment in training with technical controls, too. For instance, IT teams could turn to managed cloud access security brokers (CASBs) to gain visibility into their cloud environments. Managed CASBs detect all cloud services within the group, creating a complete risk assessment for each cloud service and keeping track of usage within those environments. Those solutions should include network traffic analysis tools that are capable of scanning suspicious or unapproved data flows. Additionally, organizations might want to consider abiding by the principle of least privilege so as to limit what services and data employees can access from the beginning as well as building a Zero Trust network in their remote work environments.

Out of the Shadows

Supported by C-suite leadership, you can bring shadow IT into the light with security awareness training around relevant policies and robust technical controls. These efforts will help to minimize the chance of shadow IT entering the network going forward.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…