Shadow IT can cause big problems for cybersecurity. The trouble is in the name: these connections exist in the shadows outside of IT (information technology) and security personnel’s knowledge.

So, what can IT leaders do to address it in a time of growing remote workforces?

What is Shadow IT?

Shadow IT consists of information technology connected to the network without the IT department’s knowledge or approval. Maybe people from other departments bypass IT personnel and connect unapproved assets. Shadow IT could be hardware, software, web services or cloud applications that do not fall under the IT department’s purview.

Employees bring shadow IT into the organization for a variety of reasons. They might feel that approved software and services are less effective than alternate resources. Those sanctioned solutions could also be more difficult to work with, in employees’ minds. Finally, there’s simply the chance that people don’t understand the risks that come with connecting shadow IT to the network.

Risks of Shadow IT

Shadow IT comes with a fair share of cybersecurity costs to an affected group. For one, IT personnel can’t monitor these connected devices if they don’t know about them. These products thereby increase attack surfaces without allowing IT to take defensive measures. If IT doesn’t know the product exists, they can’t apply updates to fix security risks. These gaps open space for malicious actors using those devices to gain access to systems and steal data.

Shadow IT could also threaten data security in the future. This is due to the fact that these devices are wholly dependent on whoever purchased and deployed them. When that person leaves, the group won’t know that they might have used an unapproved customer relationship management (CRM) app to store customers’ contacts, for example. That person could use that lack of visibility to maintain their access to that data long after they’ve left and possibly joined a rival effort.

Costs Hidden in Shadows

Shadow IT costs are not limited to the realm of cybersecurity, either. There are also financial costs to consider. First, you could run into issues stemming from their shadow IT when attempting to comply with data protection rules. Take the European Union’s General Data Protection Regulation (GDPR), for instance. Under the standard, in-scope entities must create and maintain a record of all of their internal data processing and be prepared to show those records to the relevant authorities upon request. But they can’t do this if they don’t know about all of the assets that are connected to their network. Such a lack of insight could result in them incurring large fines for a lack of control over their systems.

There’s the matter of being efficient, as well. Employees who bring unapproved IT devices into the organization might feel like they’re making their jobs easier and saving money by boosting their productivity. But the opposite might actually be true. The reality is that the group now has technology for which it did not plan. At best, these solutions could replicate the functionality of existing ones and thereby contribute to the financial costs of maintaining an expanded network. At worse, they could conflict with existing solutions and disrupt work, thereby reducing overall profitability.

How to Minimize Shadow IT in Your Organization

Shadow IT matters a lot when so many employees are working from home. IT personnel do not have direct access to employees’ devices, so they can’t have complete knowledge of what employees are necessarily installing on their home networks. That’s why IT needs to take steps to minimize shadow IT in remote work environments.

As the first step in this process, leadership needs to take responsibility for addressing shadow IT. This will give security and IT teams the buy-in they need to really minimize the risks that come with shadow IT.

One of the best ways IT teams can go about highlighting the dangers of shadow IT is through a security awareness education program. As an example, IT personnel could start with simple checklists that cover fundamental practices at the organization. In particular, they could draw upon training modules that remind employees about existing policies and highlight the official channels for deploying new IT devices and assets.

Complement investment in training with technical controls, too. For instance, IT teams could turn to managed cloud access security brokers (CASBs) to gain visibility into their cloud environments. Managed CASBs detect all cloud services within the group, creating a complete risk assessment for each cloud service and keeping track of usage within those environments. Those solutions should include network traffic analysis tools that are capable of scanning suspicious or unapproved data flows. Additionally, organizations might want to consider abiding by the principle of least privilege so as to limit what services and data employees can access from the beginning as well as building a Zero Trust network in their remote work environments.

Out of the Shadows

Supported by C-suite leadership, you can bring shadow IT into the light with security awareness training around relevant policies and robust technical controls. These efforts will help to minimize the chance of shadow IT entering the network going forward.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today