{"id":10395,"date":"2016-07-19T10:55:15","date_gmt":"2016-07-19T15:55:15","guid":{"rendered":"http:\/\/www.mrc-productivity.com\/blog\/?p=10395"},"modified":"2023-03-13T16:08:30","modified_gmt":"2023-03-13T21:08:30","slug":"6-ways-to-reduce-shadow-it-security-risks","status":"publish","type":"post","link":"https:\/\/www.mrc-productivity.com\/blog\/2016\/07\/6-ways-to-reduce-shadow-it-security-risks\/","title":{"rendered":"6 ways to reduce Shadow IT security risks"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-725\" src=\"https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2010\/11\/Education.jpg\" alt=\"Education\" width=\"76\" height=\"100\" \/><span style=\"font-size: 14px;\"><em>Summary: A rapidly growing trend, &#8220;Shadow IT&#8221; is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in favor of third party solutions and services. In this article, we explore the security risks of Shadow IT, and a few ways to reduce these risks.<\/em><\/span><br \/>\n<a name=\"20160718\"><\/a><!--more--><\/p>\n<p>Like it or not, Shadow IT is probably alive and well in your organization. It exists in most companies, but the majority of CIOs and IT leaders underestimate its reach.<\/p>\n<p>How bad is it? According to one <a href=\"http:\/\/www.informationweek.com\/cloud\/shadow-it-its-much-worse-than-you-think\/a\/d-id\/1321637\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">report<\/span><\/a>, the use of Shadow IT is 15-20 times higher than CIOs predict.<\/p>\n<p>Why is this such a problem? If uncontrolled, Shadow IT will open your business up to a number of security risks, such as:<\/p>\n<ul class=\"arrow-list colored\">\n<li><strong>Data privacy risks:<\/strong> When employees purchase and use third-party software without IT\u2019s knowledge, they could put sensitive data at risk. How can IT secure the data if they don\u2019t know it exists? How can IT ensure that the employee\u2019s software is secure if they don\u2019t know what it is? They can\u2019t.<\/li>\n<li><strong>Compliance risks<\/strong>: For many companies, regulatory compliance is critical. The problem is, Shadow IT can lead directly to compliance violations. Without knowledge of user\u2019s activity, the IT department can\u2019t ensure compliance. For regulated businesses, this can lead to data loss, fines, and significant vulnerabilities.<\/li>\n<li><strong>Enterprise security risks<\/strong>: Users have notoriously bad password habits. Chances are, if an attacker gains an employee\u2019s login credentials for one site, they can use the same information to gain access to another. If the employee uses the same password for enterprise application access, they\u2019ve just given an attacker the keys to your business data.<\/li>\n<\/ul>\n<p>The question is, how can you protect your business from these risks? Today, let\u2019s explore that topic. Here are 6 ways to reduce Shadow IT security risks.<\/p>\n<h3>1. Discover where Shadow IT is hiding<\/h3>\n<figure id=\"attachment_10085\" aria-describedby=\"caption-attachment-10085\" style=\"width: 300px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10085\" src=\"https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2016\/04\/binoculars-1209011_640-300x199.jpg\" alt=\"photo credit: Unsplash via pixabay cc\" width=\"300\" height=\"199\" \/><figcaption id=\"caption-attachment-10085\" class=\"wp-caption-text\">photo credit: <a href=\"https:\/\/pixabay.com\/en\/binoculars-looking-man-discovery-1209011\/\">Unsplash<\/a> via <a href=\"http:\/\/pixabay.com\/\">pixabay<\/a> <a href=\"http:\/\/creativecommons.org\/publicdomain\/zero\/1.0\/deed.en\">cc<\/a><\/figcaption><\/figure>\n<p>The first step to reducing the risks of Shadow IT: Understand the extent of the problem. You can do this a in couple of different ways.<\/p>\n<p>First, survey your employees. Ask them what software and services they use regularly. You\u2019d be surprised how many unauthorized tools you\u2019ll uncover, simply because the employees don\u2019t realize they\u2019re practicing Shadow IT.<\/p>\n<p>Second, track network traffic. As explained below, the use of scanning techniques will help you identify unauthorized software and systems that are using your network.<\/p>\n<blockquote style=\"line-height: 1.7em; background-image: none; margin-left: 0; padding-left: 18px; height: auto;\"><p>\u201cSystems and applications established without corporate knowledge and oversight are inherently at risk of non-compliance with security regulations, unaddressed security vulnerabilities, and unauthorized access,\u201d says Doug Landoll, CEO, <a href=\"http:\/\/www.lantego.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">Lantego<\/span><\/a>. \u201cIn order to address these issues the organization must seek to identify Shadow IT within their organization. One approach is that of discovery through an annual security assessment that seeks to identify all systems through various scanning techniques. Found systems are then matched with known systems and the balance needs to be addressed as Shadow IT. Discovery of Shadow IT is important because these systems provide access to corporate data and therefore must be protected according to the corporate needs (not the department or individual&#8217;s need who set up the Shadow IT). Bringing these systems to light is the first step in providing appropriate corporate oversight.\u201d<\/p><\/blockquote>\n<h3>2. Identify the unmet need<\/h3>\n<p>Once you\u2019ve identified unauthorized software and systems, you must punish those who are using them&#8230;right?<\/p>\n<p>No.<\/p>\n<p>Let me explain. Shadow IT is not the problem. It\u2019s a symptom of a larger problem: Employees aren\u2019t getting the solutions they need from the business. If you try to eliminate Shadow IT without addressing this problem, you\u2019ll only perpetuate the issue. If you want to reduce Shadow IT security risks, you must address the real problem head on.<\/p>\n<blockquote style=\"line-height: 1.7em; background-image: none; margin-left: 0; padding-left: 18px; height: auto;\"><p>\u201cShadow IT exists when corporate IT is failing in a fundamental way,\u201d says Jonathan Gossels, President, <a href=\"http:\/\/systemexperts.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">SystemExperts Corporation<\/span><\/a>. \u201cWe\u2019ve seen currency traders set up their own development shops because corporate development was perceived to be too slow or bureaucratic. We\u2019ve seen Wall Street traders set up their own wireless access points so they could keep an eye on things when they were at the pub across the street for lunch.<\/p>\n<p>No department or line of business wants to set up its own IT infrastructure and bear that budget burden \u2013 they only do so because they feel that they have no choice to be successful in the tasks they are measured and a compensated on.<\/p>\n<p>It is like finding mouse droppings. If you see shadow IT, it is a clear indication that there is an unmet business need. Organizations need to investigate those unmet requirements and provide the appropriate IT services in a timely, secure, and policy compliant manner.\u201d<\/p><\/blockquote>\n<p>So, how can you identify these unmet needs? You\u2019ll get a good idea based on the software and systems you identified in the discovery phase. However, the best method: Ask them.<\/p>\n<blockquote style=\"line-height: 1.7em; background-image: none; margin-left: 0; padding-left: 18px; height: auto;\"><p>\u201cSurvey your employees to see how IT can better serve them,\u201d says Trey Hawkins, CTO of <a href=\"http:\/\/leapfrogservices.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">Leapfrog Services<\/span><\/a>. \u201cYou\u2019ll find out about their frustrations and how much of your company\u2019s Shadow IT revolves around consuming information versus creating or sending information.\u201d<\/p><\/blockquote>\n<h3>3. Change the culture<\/h3>\n<figure id=\"attachment_7923\" aria-describedby=\"caption-attachment-7923\" style=\"width: 240px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-7923\" src=\"https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2014\/05\/small_8055193189.jpg\" alt=\"photo credit: Found Animals via photopin cc\" width=\"240\" height=\"160\" \/><figcaption id=\"caption-attachment-7923\" class=\"wp-caption-text\">photo credit: <a href=\"http:\/\/www.foundanimals.org\/\">Found Animals<\/a> via <a href=\"http:\/\/photopin.com\">photopin<\/a> <a href=\"http:\/\/creativecommons.org\/licenses\/by-sa\/2.0\/\">cc<\/a><\/figcaption><\/figure>\n<p>Sadly, in many companies, IT has developed a \u201cculture of no.\u201d End users feel like IT only gets in the way. It seems like IT looks for reasons to deny requests rather than try to find solutions.<\/p>\n<p>This \u201ctechnology gatekeeper\u201d mentality may have worked when IT was the only option, but that\u2019s not the case anymore. Now, if IT is viewed as a barrier, end users find their own ways to accomplish their goals.<\/p>\n<p>As explained below, changing this culture is a huge step towards controlling Shadow IT.<\/p>\n<blockquote style=\"line-height: 1.7em; background-image: none; margin-left: 0; padding-left: 18px; height: auto;\"><p>\u201cFor IT departments, the best policies to prevent Shadow IT, or manage proliferation of rogue systems operate on the premise of transparency and understanding of the business,\u201d says Morey Haber, VP of Technology at <a href=\"https:\/\/www.beyondtrust.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">BeyondTrust<\/span><\/a>. \u201cIT departments should adopt policies of &#8220;yes, I can help you&#8221; verses resistance to change, saying \u201cno,\u201d or just the adoption of new technologies. When departments understand and embrace IT policies that provide enablement, Shadow IT environments tend to dry up and new ones do not form.\u201d<\/p><\/blockquote>\n<p>Now, I know what you\u2019re thinking. Should IT departments just approve every user request? Should they give users everything they want, just to keep from getting bypassed? Of course not. The key to success lies in helping the users meet their needs in a secure way&#8211;not just giving them what they want.<\/p>\n<blockquote style=\"line-height: 1.7em; background-image: none; margin-left: 0; padding-left: 18px; height: auto;\"><p>\u201cThe trick to managing Shadow IT is balancing security with the requests,\u201d explains Morey. \u201cJust because something sounds like a great idea and may be easy to implement, may not be in the best interests of the company to secure data, permissions, and infrastructure. Setting up your own private guest wireless network off the LAN is a traditional example of Shadow IT and rogue access points. The balance is agreeing on the need, improvements to the business, and adopting a secure model to make it work. This requires a little give and take from both sides, but results in a supportable and secure solution that can be the objectives of all teams.\u201d<\/p><\/blockquote>\n<h3>4. Give the users the tools they need<\/h3>\n<p>The best way to reduce security risks: Make Shadow IT completely unnecessary. As explained above, Shadow IT largely occurs because the business users aren\u2019t getting the solutions they need from IT. If you successfully deliver these solutions, you eliminate the driving force behind the problem.<\/p>\n<blockquote style=\"line-height: 1.7em; background-image: none; margin-left: 0; padding-left: 18px; height: auto;\"><p>\u201cWhile there certainly are proactive ways in which the security risks of shadow IT can be mitigated, the best solution is to bring shadow IT out of the shadows and into the open across IT landscape,\u201d says Brian Kelley, CIO of <a href=\"http:\/\/www.co.portage.oh.us\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">Portage County<\/span><\/a>. \u201cBy leveraging the technology tools that users sorely need to be more efficient and to benefit the bottom line, business leaders can reduce the risks and hidden dangers inherent with the unstoppable force of shadow IT by bringing it into the open.This will require better aligning the business with IT, improving communication with managers, and users, and reducing the complexity of IT procurement.\u201d<\/p><\/blockquote>\n<p>Now, I want to emphasize a couple of points that Kelley mentioned above: This process requires alignment and communication.<\/p>\n<p>Communication is absolutely essential in this process. Don\u2019t assume you know best. Don\u2019t give users a solution without involving them in the process. Work with the users to find a solution that meets their needs, and IT\u2019s security requirements.<\/p>\n<p>One more thing: The goal of this step is controlled, self-service solutions. Any software you provide must meet two important criteria:<\/p>\n<ul class=\"arrow-list colored\">\n<li><strong>Self-service<\/strong>: Users must use the solution without bothering IT.<\/li>\n<li><strong>Control<\/strong>: IT must still be able to control data and user access.<\/li>\n<\/ul>\n<p>When you deliver controlled, self-service options, your business gets the best of both worlds. Users get the solutions they need quickly, and IT can still secure the data and applications.<\/p>\n<h3>5. Educate the users<\/h3>\n<figure id=\"attachment_7734\" aria-describedby=\"caption-attachment-7734\" style=\"width: 300px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-7734\" src=\"https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2014\/03\/apple-256261_640-300x198.jpg\" alt=\"photo credit: jarmoluk via pixabay cc\" width=\"300\" height=\"198\" srcset=\"https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2014\/03\/apple-256261_640-300x198.jpg 300w, https:\/\/www.mrc-productivity.com\/blog\/wp-content\/uploads\/2014\/03\/apple-256261_640.jpg 640w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><figcaption id=\"caption-attachment-7734\" class=\"wp-caption-text\">photo credit: <a href=\"http:\/\/pixabay.com\/en\/apple-education-school-knowledge-256261\/\">jarmoluk<\/a> via <a href=\"http:\/\/pixabay.com\/\">pixabay<\/a> <a href=\"http:\/\/creativecommons.org\/publicdomain\/zero\/1.0\/deed.en\">cc<\/a><\/figcaption><\/figure>\n<p>In most cases, employees aren\u2019t practicing Shadow IT maliciously. They\u2019re trying to solve a problem. Most don\u2019t realize the security risks of their actions.<\/p>\n<p>The problem is, many companies take a heavy-handed approach to Shadow IT. They create policies and restrictions, without telling the employees why it\u2019s important. They take an \u201cus-vs-them\u201d mentality.<\/p>\n<p>If you truly want to reduce security risks, educate your users. Make sure your employees understand the risks involved, and why unauthorized tools and software must be avoided. Then, show them how to solve their problems securely, using approved tools and methods.<\/p>\n<h3>6. Be on the alert<\/h3>\n<p>Now, maybe you\u2019re doing everything right. You\u2019re actively providing users with the tools they need. You\u2019re working with the business to address their needs. You\u2019ve educated users on the risks of Shadow IT.<\/p>\n<p>Those are all great steps to take. But, don\u2019t assume it\u2019s the end of your Shadow IT worries. Despite all of your efforts, some users will simply ignore you. They\u2019ll go behind IT\u2019s back anyway, and create security risks.<\/p>\n<p>You must prepare for this as well. Set up monitoring systems to alert you to possible Shadow IT problems. How so? As explained in this <a href=\"http:\/\/www.csoonline.com\/article\/3083775\/security\/shadow-it-mitigating-security-risks.html\" target=\"_blank\" rel=\"noopener\"><span style=\"color: red; font-weight: bold;\">article on csoonline.com<\/span><\/a>, this includes monitoring a few different areas.<\/p>\n<p><em>\u201cDespite your best efforts, some people will ignore the rules. That\u2019s why you need to monitor activity. One low-tech but effective technique is to have your finance department monitor expense reports for evidence of unauthorized applications.<\/em><\/p>\n<p><em>Secure web gateways are often used for malware prevention, but they can also be a tool to spot shadow IT instances. Analyzing web access logs can uncover destinations that are receiving a large amount of outbound traffic, and some gateways will even include the application names in their reporting so you can take action. Gateways permit you to filter and block prohibited URLs and ports, which means they can be used to block access to unapproved cloud services. If you require authentication to be done through the corporate directory, your gateway can easily be configured to look for login prompts that indicate an unauthorized service is being used.\u201d<\/em><\/p>\n<h3>Summary<\/h3>\n<p>These are just 7 ways to reduce the risks of Shadow IT, but the list could certainly be longer. Would you add anything to this list? If you would like to add anything to this list, I\u2019d love to hear it. Feel free to share in the comments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: A rapidly growing trend, &#8220;Shadow IT&#8221; is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in favor of third party solutions and services. In this article, we explore the security risks of Shadow IT, and a few ways to reduce these risks.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","slim_seo":{"title":"6 ways to reduce Shadow IT security risks - mrc&#039;s Cup of Joe Blog","description":"Summary: A rapidly growing trend, \"Shadow IT\" is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in"},"footnotes":""},"categories":[8],"tags":[77],"class_list":["post-10395","post","type-post","status-publish","format-standard","hentry","category-education","tag-shadow-it"],"_links":{"self":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts\/10395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/comments?post=10395"}],"version-history":[{"count":6,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts\/10395\/revisions"}],"predecessor-version":[{"id":14674,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/posts\/10395\/revisions\/14674"}],"wp:attachment":[{"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/media?parent=10395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/categories?post=10395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/blog\/wp-json\/wp\/v2\/tags?post=10395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}