Information security is all about protecting data, so an effective cybersecurity policy has to include app security provisions that protect data generated on user endpoints. That’s easier said than done, however; after all, to secure applications, you have to know what applications your employees are using.

Employees rely on apps for almost every type of task, and they aren’t all using the same types of devices to access these apps. Thanks to the rise of bring-your-own-device (BYOD), the overall mobile workforce and, perhaps most significantly, the growing blur between professional and personal devices, it’s common to use apps and hardware that aren’t authorized by the IT department.

This unauthorized use is known as shadow IT, and it’s a nightmare for those in charge of security. You can’t protect what you don’t know — and endpoint users are unwittingly putting company data at risk every day.

Identifying App Security Perps

According to June 2018 research from Nintex, an intelligent process automation platform, almost two-thirds of employees find that they have broken IT processes within their company. As problems and concerns linger, employees have turned to shadow IT devices to address their own problems.

However, the most surprising finding in this survey may be that the worst culprit of shadow IT use is your own IT staff. That’s right: Sixty percent of the people who are charged to protect your company from rogue application use are those creating app security risks.

Resolving IT Issues

Perhaps because of its overall workload, IT departments are often slow respond to software and application problems. When issues remain unaddressed, employees take matters into their own hands: Forty percent of Nintex’s respondents said they have engaged in shadow IT as a “direct result” of outstanding IT problems.

The benefit of having a strong internal IT staff is that they are your front line for testing new technologies and apps. Unfortunately, technology proficiency doesn’t equal security proficiency, so as they introduce unauthorized devices and apps to the network, they may not immediately recognize the risks or vulnerabilities attached.

Nor is it always current employees that are a threat. One of the most commonly broken IT processes involves the information access of former employees, something that one in five survey respondents cited as an issue in their company. If those former employees engaged in shadow IT, they may still have corporate data stored on their devices or apps. Because they were using unsanctioned endpoints, neither IT nor leadership has any idea what might be out there, unprotected and at risk of becoming breached.

Why do network and application questions and concerns linger? Often, IT staff are the victims of a broken system. Their own bosses may be dropping the ball when it comes to accountability. We expect our IT staff to oversee any system problems because the “computer guys” are the company face of technology solutions.

However, these same computer guys may face obstacles the rest of the company doesn’t see — budget restraints, tasks unrelated to their formal job duties, understaffing and more. More accountability for unresolved IT issues needs to be directed by those in C-level positions, including more input from the chief information security officer (CISO) to better address app security and shadow IT threats. The CISO should be the voice of security reason within the company, including the dangers of using unauthorized software.

Protecting From Shadow IT

The use of unauthorized apps and devices opens an organization to any number of problems, from basic process efficiency to serious security threats. Unsanctioned devices and software can jam bandwidth, decreasing employee productivity. It can lead to data breaches or theft, which could cost millions of dollars in lost business or fines should an organization fail to satisfy the General Data Protection Regulation (GDPR) compliance from the European Union (EU) or other industry and government regulations. This can also result in the loss of certifications and licenses.

Addressing shadow IT and device security should start at the top. Leadership should take more responsibility for network security and provide IT the support it needs to respond more quickly to broken processes. The use of unsanctioned software and devices should be monitored by someone outside of IT — such as a C-level executive like the chief information officer (CIO) or CISO, security team or managed service provider — and IT should then be encouraged to set an example by endorsing and enforcing authorized device and app use. This way, the ownership of proprietary data security will trickle down and calcify into the entire organizational structure, rather than straining uphill toward success.

At the same time, IT deserves the leeway to introduce new technologies into the company through authorized policy. With that line between personal and business devices increasingly unclear, it is easy for shadow IT to sneak past the network checkpoints. But by not having a plan in place and not requiring quicker response times, shadow IT can end up causing a lot of damage.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today