What is Shadow IT? The underbelly of IT management
When managing your business' cybersecurity, the majority of your risk reduction will come from unanimous security measures. Whether it's password policies, security awareness training or SaaS app hardening, the best way to reduce your risk is to ensure that appropriate risk-reduction processes are implemented throughout the entire organization.
In the same vein, a significant amount of cybersecurity risk is often found in the unknown parts of your IT systems - in the dormant apps and hardware that are yet to receive appropriate security controls by IT management.
According to Microsoft, 80% of employees make use of unsanctioned apps, meaning apps that have not been reviewed or permitted by the person(s) in charge of IT. Each one of these apps introduces a unique and significant amount of risk to the organization, and because IT personnel are completely unaware of them, a lot of their risk is left unmitigated.
This widespread use of unsanctioned apps has become one of the most widely discussed issues in contemporary cybersecurity, and is commonly referred to as Shadow IT.
Shadow IT encompasses all of the hidden tech in a business. It contains applications, hardware and technology systems that members of the business are using without the explicit knowledge and approval of an IT department.
Shadow IT often takes shape in the form of personal devices, unapproved messaging tools, and/or undetected SaaS applications. Some of the most common examples are when staff use unlicensed Google Docs accounts to create and store work documents, or when colleagues use non-workplace chat apps for sensitive workplace correspondence, such as WhatsApp and Messenger.
So why is Shadow IT an issue? What makes unsanctioned applications dangerous?
In short, Shadow IT bypasses your security. Whereas approved apps and pieces of hardware typically benefit from organizational security practices, Shadow IT implicitly subverts safe practice on account of being unidentified and unactioned by those responsible for IT.
Each application or piece of hardware incurs a new attack vector to the business, and simultaneously skips the crucial security protocols needed to protect them, such as password & update policies, two-factor authentication, and IP access control.
The threat in this can be evidenced by Forbes, who, in a recent survey, revealed that 1 in 5 organizations had experienced a security event related to unsanctioned IT resources.
Furthermore, an organization's Shadow IT usage is often much higher than their known and intended IT. Since the advent of work-from-home in 2020, organizations are using an average of 110 known and approved SaaS apps. By comparison, a report from Mcafee states that, on average, businesses are housing 975 unsanctioned cloud services at any given time.
This ultimately results in a scenario wherein the number of unsanctioned apps is exponentially higher than those being vetted and protected. As such, the average IT Manager has visibility and control over 20% or less of an organization's apps, while being held accountable to 100% of their risk.
And despite being largely unaccounted for, Shadow IT comprises a vast majority of 'app sprawl' as well. It's one thing to imagine an isolated breach against a particular undetected app, but oftentimes, these apps are integrated to known and company-wide SaaS platforms such as Google Suite, Hubspot, Zoom, Office 365 without managerial oversight.
Consequently, a cyber-incident within Shadow IT typically isn't insular to an individual employee or app, but can also significantly impact other connected apps, systems and confidential data within the organization.
So what can you do to reduce your Shadow IT risk? It's important to consider that Shadow IT ultimately stems from a human issue - a lack of visibility and control over how staff is using IT.
Oftentimes, the gut reaction here might be to employ a more draconian approach to monitoring, policy and controls. And while these measures all have their place, some of the highest yields in cybersafety come from simple awareness and collaboration with your colleagues.
When tackling the issue of Shadow IT in your business, we recommend taking the following principles into consideration:
Awareness: Many consider awareness to be the most pivotal tool in reducing your Shadow IT risk. In addition to using network and workstation monitoring tools and routinely reviewing your IT resources, we recommend that you perform regular SaaS Discovery Scans to determine the amount of Shadow IT apps actually in use. Not only does this help to illuminate the full extent of your organization's IT usage, but it also enables you to accurately portray your resources to others in the organization.
Culture: Employees often contribute to Shadow IT either unknowingly, or with the express intention of subverting security measures for the sake of convenience. While Shadow IT app usage is rarely malicious, it can be highly damaging to an organization's security posture. Conduct regular training with your staff and colleagues, and share insights regarding the harm of Shadow IT. Foster a culture wherein people feel confident to approach IT staff for assistance when downloading a new app or implementing a new plugin.
Management: Once you have an improved visibility of the apps and hardware used within the organization, it's time to apply some controls. Determine which apps are essential, and which apps are not. Cull what you can, and apply security measures to the others, such as multi-factor authentication, updates, password policies.
Tweak the permissions and integrations of any discovered SaaS apps, and also consider taking some preventative measures such as Download Restriction policies to reduce the growth-rate of your Shadow IT moving forward.
Remember, it only takes one successful cyber-incident to compromise an entire organization.
By confronting your Shadow IT and incorporating it as a regular part of your businesses' security culture, you will be better equipped to prevent, react and recover from potential security incidents in the future.
How Detexian helps
Detexian reduces these risks by discovering:
Unauthorized apps staff use with their corporate email accounts
If those apps have access to your business and customer data
When new apps are granted and permissions change
Many apps are granted excessive permissions such as read/write access to files, emails, calendars. If left unknown, these apps are ticking timebombs for data breaches.
Find out how to discover unknown, untrusted apps with access to your data in 2 minutes, Try Detexian Discovery for FREE
