Shadow IT can cause big problems for cybersecurity. The trouble is in the name: these connections exist in the shadows outside of IT (information technology) and security personnel’s knowledge.

So, what can IT leaders do to address it in a time of growing remote workforces?

What is Shadow IT?

Shadow IT consists of information technology connected to the network without the IT department’s knowledge or approval. Maybe people from other departments bypass IT personnel and connect unapproved assets. Shadow IT could be hardware, software, web services or cloud applications that do not fall under the IT department’s purview.

Employees bring shadow IT into the organization for a variety of reasons. They might feel that approved software and services are less effective than alternate resources. Those sanctioned solutions could also be more difficult to work with, in employees’ minds. Finally, there’s simply the chance that people don’t understand the risks that come with connecting shadow IT to the network.

Risks of Shadow IT

Shadow IT comes with a fair share of cybersecurity costs to an affected group. For one, IT personnel can’t monitor these connected devices if they don’t know about them. These products thereby increase attack surfaces without allowing IT to take defensive measures. If IT doesn’t know the product exists, they can’t apply updates to fix security risks. These gaps open space for malicious actors using those devices to gain access to systems and steal data.

Shadow IT could also threaten data security in the future. This is due to the fact that these devices are wholly dependent on whoever purchased and deployed them. When that person leaves, the group won’t know that they might have used an unapproved customer relationship management (CRM) app to store customers’ contacts, for example. That person could use that lack of visibility to maintain their access to that data long after they’ve left and possibly joined a rival effort.

Costs Hidden in Shadows

Shadow IT costs are not limited to the realm of cybersecurity, either. There are also financial costs to consider. First, you could run into issues stemming from their shadow IT when attempting to comply with data protection rules. Take the European Union’s General Data Protection Regulation (GDPR), for instance. Under the standard, in-scope entities must create and maintain a record of all of their internal data processing and be prepared to show those records to the relevant authorities upon request. But they can’t do this if they don’t know about all of the assets that are connected to their network. Such a lack of insight could result in them incurring large fines for a lack of control over their systems.

There’s the matter of being efficient, as well. Employees who bring unapproved IT devices into the organization might feel like they’re making their jobs easier and saving money by boosting their productivity. But the opposite might actually be true. The reality is that the group now has technology for which it did not plan. At best, these solutions could replicate the functionality of existing ones and thereby contribute to the financial costs of maintaining an expanded network. At worse, they could conflict with existing solutions and disrupt work, thereby reducing overall profitability.

How to Minimize Shadow IT in Your Organization

Shadow IT matters a lot when so many employees are working from home. IT personnel do not have direct access to employees’ devices, so they can’t have complete knowledge of what employees are necessarily installing on their home networks. That’s why IT needs to take steps to minimize shadow IT in remote work environments.

As the first step in this process, leadership needs to take responsibility for addressing shadow IT. This will give security and IT teams the buy-in they need to really minimize the risks that come with shadow IT.

One of the best ways IT teams can go about highlighting the dangers of shadow IT is through a security awareness education program. As an example, IT personnel could start with simple checklists that cover fundamental practices at the organization. In particular, they could draw upon training modules that remind employees about existing policies and highlight the official channels for deploying new IT devices and assets.

Complement investment in training with technical controls, too. For instance, IT teams could turn to managed cloud access security brokers (CASBs) to gain visibility into their cloud environments. Managed CASBs detect all cloud services within the group, creating a complete risk assessment for each cloud service and keeping track of usage within those environments. Those solutions should include network traffic analysis tools that are capable of scanning suspicious or unapproved data flows. Additionally, organizations might want to consider abiding by the principle of least privilege so as to limit what services and data employees can access from the beginning as well as building a Zero Trust network in their remote work environments.

Out of the Shadows

Supported by C-suite leadership, you can bring shadow IT into the light with security awareness training around relevant policies and robust technical controls. These efforts will help to minimize the chance of shadow IT entering the network going forward.

more from Application Security

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…