Summary: A rapidly growing trend, “Shadow IT” is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in favor of third party solutions and services. In this article, we explore the security risks of Shadow IT, and a few ways to reduce these risks.
Like it or not, Shadow IT is probably alive and well in your organization. It exists in most companies, but the majority of CIOs and IT leaders underestimate its reach.
How bad is it? According to one report, the use of Shadow IT is 15-20 times higher than CIOs predict.
Why is this such a problem? If uncontrolled, Shadow IT will open your business up to a number of security risks, such as:
- Data privacy risks: When employees purchase and use third-party software without IT’s knowledge, they could put sensitive data at risk. How can IT secure the data if they don’t know it exists? How can IT ensure that the employee’s software is secure if they don’t know what it is? They can’t.
- Compliance risks: For many companies, regulatory compliance is critical. The problem is, Shadow IT can lead directly to compliance violations. Without knowledge of user’s activity, the IT department can’t ensure compliance. For regulated businesses, this can lead to data loss, fines, and significant vulnerabilities.
- Enterprise security risks: Users have notoriously bad password habits. Chances are, if an attacker gains an employee’s login credentials for one site, they can use the same information to gain access to another. If the employee uses the same password for enterprise application access, they’ve just given an attacker the keys to your business data.
The question is, how can you protect your business from these risks? Today, let’s explore that topic. Here are 6 ways to reduce Shadow IT security risks.
1. Discover where Shadow IT is hiding
The first step to reducing the risks of Shadow IT: Understand the extent of the problem. You can do this a in couple of different ways.
First, survey your employees. Ask them what software and services they use regularly. You’d be surprised how many unauthorized tools you’ll uncover, simply because the employees don’t realize they’re practicing Shadow IT.
Second, track network traffic. As explained below, the use of scanning techniques will help you identify unauthorized software and systems that are using your network.
“Systems and applications established without corporate knowledge and oversight are inherently at risk of non-compliance with security regulations, unaddressed security vulnerabilities, and unauthorized access,” says Doug Landoll, CEO, Lantego. “In order to address these issues the organization must seek to identify Shadow IT within their organization. One approach is that of discovery through an annual security assessment that seeks to identify all systems through various scanning techniques. Found systems are then matched with known systems and the balance needs to be addressed as Shadow IT. Discovery of Shadow IT is important because these systems provide access to corporate data and therefore must be protected according to the corporate needs (not the department or individual’s need who set up the Shadow IT). Bringing these systems to light is the first step in providing appropriate corporate oversight.”
2. Identify the unmet need
Once you’ve identified unauthorized software and systems, you must punish those who are using them…right?
Let me explain. Shadow IT is not the problem. It’s a symptom of a larger problem: Employees aren’t getting the solutions they need from the business. If you try to eliminate Shadow IT without addressing this problem, you’ll only perpetuate the issue. If you want to reduce Shadow IT security risks, you must address the real problem head on.
“Shadow IT exists when corporate IT is failing in a fundamental way,” says Jonathan Gossels, President, SystemExperts Corporation. “We’ve seen currency traders set up their own development shops because corporate development was perceived to be too slow or bureaucratic. We’ve seen Wall Street traders set up their own wireless access points so they could keep an eye on things when they were at the pub across the street for lunch.
No department or line of business wants to set up its own IT infrastructure and bear that budget burden – they only do so because they feel that they have no choice to be successful in the tasks they are measured and a compensated on.
It is like finding mouse droppings. If you see shadow IT, it is a clear indication that there is an unmet business need. Organizations need to investigate those unmet requirements and provide the appropriate IT services in a timely, secure, and policy compliant manner.”
So, how can you identify these unmet needs? You’ll get a good idea based on the software and systems you identified in the discovery phase. However, the best method: Ask them.
“Survey your employees to see how IT can better serve them,” says Trey Hawkins, CTO of Leapfrog Services. “You’ll find out about their frustrations and how much of your company’s Shadow IT revolves around consuming information versus creating or sending information.”
3. Change the culture
Sadly, in many companies, IT has developed a “culture of no.” End users feel like IT only gets in the way. It seems like IT looks for reasons to deny requests rather than try to find solutions.
This “technology gatekeeper” mentality may have worked when IT was the only option, but that’s not the case anymore. Now, if IT is viewed as a barrier, end users find their own ways to accomplish their goals.
As explained below, changing this culture is a huge step towards controlling Shadow IT.
“For IT departments, the best policies to prevent Shadow IT, or manage proliferation of rogue systems operate on the premise of transparency and understanding of the business,” says Morey Haber, VP of Technology at BeyondTrust. “IT departments should adopt policies of “yes, I can help you” verses resistance to change, saying “no,” or just the adoption of new technologies. When departments understand and embrace IT policies that provide enablement, Shadow IT environments tend to dry up and new ones do not form.”
Now, I know what you’re thinking. Should IT departments just approve every user request? Should they give users everything they want, just to keep from getting bypassed? Of course not. The key to success lies in helping the users meet their needs in a secure way–not just giving them what they want.
“The trick to managing Shadow IT is balancing security with the requests,” explains Morey. “Just because something sounds like a great idea and may be easy to implement, may not be in the best interests of the company to secure data, permissions, and infrastructure. Setting up your own private guest wireless network off the LAN is a traditional example of Shadow IT and rogue access points. The balance is agreeing on the need, improvements to the business, and adopting a secure model to make it work. This requires a little give and take from both sides, but results in a supportable and secure solution that can be the objectives of all teams.”
4. Give the users the tools they need
The best way to reduce security risks: Make Shadow IT completely unnecessary. As explained above, Shadow IT largely occurs because the business users aren’t getting the solutions they need from IT. If you successfully deliver these solutions, you eliminate the driving force behind the problem.
“While there certainly are proactive ways in which the security risks of shadow IT can be mitigated, the best solution is to bring shadow IT out of the shadows and into the open across IT landscape,” says Brian Kelley, CIO of Portage County. “By leveraging the technology tools that users sorely need to be more efficient and to benefit the bottom line, business leaders can reduce the risks and hidden dangers inherent with the unstoppable force of shadow IT by bringing it into the open.This will require better aligning the business with IT, improving communication with managers, and users, and reducing the complexity of IT procurement.”
Now, I want to emphasize a couple of points that Kelley mentioned above: This process requires alignment and communication.
Communication is absolutely essential in this process. Don’t assume you know best. Don’t give users a solution without involving them in the process. Work with the users to find a solution that meets their needs, and IT’s security requirements.
One more thing: The goal of this step is controlled, self-service solutions. Any software you provide must meet two important criteria:
- Self-service: Users must use the solution without bothering IT.
- Control: IT must still be able to control data and user access.
When you deliver controlled, self-service options, your business gets the best of both worlds. Users get the solutions they need quickly, and IT can still secure the data and applications.
5. Educate the users
In most cases, employees aren’t practicing Shadow IT maliciously. They’re trying to solve a problem. Most don’t realize the security risks of their actions.
The problem is, many companies take a heavy-handed approach to Shadow IT. They create policies and restrictions, without telling the employees why it’s important. They take an “us-vs-them” mentality.
If you truly want to reduce security risks, educate your users. Make sure your employees understand the risks involved, and why unauthorized tools and software must be avoided. Then, show them how to solve their problems securely, using approved tools and methods.
6. Be on the alert
Now, maybe you’re doing everything right. You’re actively providing users with the tools they need. You’re working with the business to address their needs. You’ve educated users on the risks of Shadow IT.
Those are all great steps to take. But, don’t assume it’s the end of your Shadow IT worries. Despite all of your efforts, some users will simply ignore you. They’ll go behind IT’s back anyway, and create security risks.
You must prepare for this as well. Set up monitoring systems to alert you to possible Shadow IT problems. How so? As explained in this article on csoonline.com, this includes monitoring a few different areas.
“Despite your best efforts, some people will ignore the rules. That’s why you need to monitor activity. One low-tech but effective technique is to have your finance department monitor expense reports for evidence of unauthorized applications.
Secure web gateways are often used for malware prevention, but they can also be a tool to spot shadow IT instances. Analyzing web access logs can uncover destinations that are receiving a large amount of outbound traffic, and some gateways will even include the application names in their reporting so you can take action. Gateways permit you to filter and block prohibited URLs and ports, which means they can be used to block access to unapproved cloud services. If you require authentication to be done through the corporate directory, your gateway can easily be configured to look for login prompts that indicate an unauthorized service is being used.”
These are just 7 ways to reduce the risks of Shadow IT, but the list could certainly be longer. Would you add anything to this list? If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.