Regardless of your take on the recent high-profile use of Signal by U.S. government officials planning a military offensive, it is a prime example of Shadow IT and the cybersecurity risks it introduces to business networks.
Shadow IT is a common practice typically fueled by innocent-enough intentions: Employees go looking for, download, and then use apps, often free, for business purposes without the approval of IT administrators. These team members aren't trying to circumvent or undermine cybersecurity measures; most often, they are trying to get work done faster or avoid a cumbersome internal solution. Shadow IT often involves cloud-based apps, mobile apps, or even undisclosed personal devices, and can include such well-known solutions as Google Docs or Slack that are being used without authorization or the proper security protocols in place.
What Risks Does Shadow IT Create?
Even if the intent is good, it is essential to educate employees on the dangers of Shadow IT. Shadow IT creates blind spots in cybersecurity systems, and these tools can lack other business-class settings crucial for protecting access to both networks and data.
Risks that come with shadow IT usage include:
- Data breaches: Employees may store sensitive or private data on unsecured systems or in unencrypted formats, which increases the risk of data breaches and data compromise.
- Compliance violations: Systems or services that do not comply with a business's security policies can leave the organization at risk of fines or penalties if they operate in a federally regulated industry.
- Malware: Unapproved apps may be fake or compromised and carry malware that can infiltrate the organization's network, putting the entire environment at risk.
- Lack of visibility: Without a clear overview of all IT solutions and tools used by employees, in-house IT teams and MSPs can't effectively monitor or control access to sensitive data.
- Vulnerability: Most employees don't know how to properly vet software or apps, which means they could be fake. Even if the solution is a trusted tool, it may not be current with security patches and other critical updates.
- Data silos: Data silos form when employees use unapproved systems and software, making it difficult to share data or access critical information.
Why do employees use shadow IT?
Most employees don't engage with Shadow IT maliciously but rather are unaware of the risks. It may seem safe enough to use an unauthorized but well-known tool such as Dropbox, but without the right protocols, there is risk, nonetheless.
Other reasons an employee may use unauthorized tools include:
- Unclear or missing policies on Shadow IT: Employees may not know what systems are approved by the organization and what are not, or how to find out. Overall, frustration and lack of support drive most use of Shadow IT.
- Challenges with approved systems: Working around a difficult-to-use existing solution is one of the leading reasons employees go rogue. User experience should be a key component as your organization selects IT solutions, because the simple fact is, people will find a way around challenging systems.
- Convenience: Employees may use a personal device or cloud service that they are already familiar with to complete a task instead of wading through a complex or slow approval process. This goes hand in hand with the common perception that an organization's IT department "doesn't care" that approved solutions aren't working or are cumbersome to use.
How Can You Prevent Shadow IT?
Detecting and managing Shadow IT is often part of your managed services partner's solution set since they rely on sophisticated tools that can often detect Shadow IT. Your MSP can also establish sophisticated IT access policies that prevent unapproved downloads and installations of suspect software or apps. We all have run up against that "admin login required" pop-up – and for good reasons. Access control is one of the simplest ways to manage the challenge of Shadow IT.
- Be sure your team is trained on security risks and common attack vectors, including Shadow IT. Again, most employees use Shadow IT out of a lack of understanding, so include updates on approved IT policies and a review of Shadow IT risks in your regularly scheduled security awareness training.
- Your MSP can help tighten up your IT asset management to make it more difficult for employees to sneak in unauthorized tools and devices. A clear inventory of all IT systems and software used by the organization can be a simple first step in identifying and managing shadow IT.
- Leverage advanced endpoint security management solutions to control access to cloud services, identify and block malicious traffic, and monitor for compliance violations. With managed threat detection and response solutions, particularly those supported by a SOC, new software, devices, and cloud traffic are much more easily tracked and therefore controlled.
- Lastly, take the time to involve employees in technology investment planning. If you're evaluating a tool that your team will use regularly, slowing down the process to allow for testing and feedback on the user experience will empower employees who will depend on the solution to have a say. After all, deploying a solution no one uses not only wastes resources, but it also opens the door to Shadow IT and much larger problems.
Remember, any time you have questions, reach out to your MSP or us. We'll be happy to talk.
