Information security is all about protecting data, so an effective cybersecurity policy has to include app security provisions that protect data generated on user endpoints. That’s easier said than done, however; after all, to secure applications, you have to know what applications your employees are using.

Employees rely on apps for almost every type of task, and they aren’t all using the same types of devices to access these apps. Thanks to the rise of bring-your-own-device (BYOD), the overall mobile workforce and, perhaps most significantly, the growing blur between professional and personal devices, it’s common to use apps and hardware that aren’t authorized by the IT department.

This unauthorized use is known as shadow IT, and it’s a nightmare for those in charge of security. You can’t protect what you don’t know — and endpoint users are unwittingly putting company data at risk every day.

Identifying App Security Perps

According to June 2018 research from Nintex, an intelligent process automation platform, almost two-thirds of employees find that they have broken IT processes within their company. As problems and concerns linger, employees have turned to shadow IT devices to address their own problems.

However, the most surprising finding in this survey may be that the worst culprit of shadow IT use is your own IT staff. That’s right: Sixty percent of the people who are charged to protect your company from rogue application use are those creating app security risks.

Resolving IT Issues

Perhaps because of its overall workload, IT departments are often slow respond to software and application problems. When issues remain unaddressed, employees take matters into their own hands: Forty percent of Nintex’s respondents said they have engaged in shadow IT as a “direct result” of outstanding IT problems.

The benefit of having a strong internal IT staff is that they are your front line for testing new technologies and apps. Unfortunately, technology proficiency doesn’t equal security proficiency, so as they introduce unauthorized devices and apps to the network, they may not immediately recognize the risks or vulnerabilities attached.

Nor is it always current employees that are a threat. One of the most commonly broken IT processes involves the information access of former employees, something that one in five survey respondents cited as an issue in their company. If those former employees engaged in shadow IT, they may still have corporate data stored on their devices or apps. Because they were using unsanctioned endpoints, neither IT nor leadership has any idea what might be out there, unprotected and at risk of becoming breached.

Why do network and application questions and concerns linger? Often, IT staff are the victims of a broken system. Their own bosses may be dropping the ball when it comes to accountability. We expect our IT staff to oversee any system problems because the “computer guys” are the company face of technology solutions.

However, these same computer guys may face obstacles the rest of the company doesn’t see — budget restraints, tasks unrelated to their formal job duties, understaffing and more. More accountability for unresolved IT issues needs to be directed by those in C-level positions, including more input from the chief information security officer (CISO) to better address app security and shadow IT threats. The CISO should be the voice of security reason within the company, including the dangers of using unauthorized software.

Protecting From Shadow IT

The use of unauthorized apps and devices opens an organization to any number of problems, from basic process efficiency to serious security threats. Unsanctioned devices and software can jam bandwidth, decreasing employee productivity. It can lead to data breaches or theft, which could cost millions of dollars in lost business or fines should an organization fail to satisfy the General Data Protection Regulation (GDPR) compliance from the European Union (EU) or other industry and government regulations. This can also result in the loss of certifications and licenses.

Addressing shadow IT and device security should start at the top. Leadership should take more responsibility for network security and provide IT the support it needs to respond more quickly to broken processes. The use of unsanctioned software and devices should be monitored by someone outside of IT — such as a C-level executive like the chief information officer (CIO) or CISO, security team or managed service provider — and IT should then be encouraged to set an example by endorsing and enforcing authorized device and app use. This way, the ownership of proprietary data security will trickle down and calcify into the entire organizational structure, rather than straining uphill toward success.

At the same time, IT deserves the leeway to introduce new technologies into the company through authorized policy. With that line between personal and business devices increasingly unclear, it is easy for shadow IT to sneak past the network checkpoints. But by not having a plan in place and not requiring quicker response times, shadow IT can end up causing a lot of damage.

More from Application Security

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today