Feb 16, 2015
Shadow IT already poses a very real threat to information security, and over the next few years, both the risks and likelihood of unauthorised IT practices are set to increase. In order to protect your organisation, it’s essential that you’re able to recognise the most common types of shadow IT, and understand the problems that lie at its heart.
What is Shadow IT?
Shadow IT refers to unauthorised systems and applications that exist within an organisation’s wider IT network. Shadow IT most commonly manifests when employees install their preferred software applications onto a corporate network, and use them without making the organisation’s IT department aware, or gaining their explicit approval. With the growing use of cloud-based services, and a continued trend towards BYOD, shadow IT is a growing security issue. Greater numbers of employees are making their own device and software choices within the workplace, and in many cases, connecting non-approved applications to the secure corporate network.These applications often use relatively lax and ineffective security measures. When introduced into a corporate network, these insecure applications will create a whole host of new vulnerabilities through which data breaches and attacks can occur. This type of shadow IT introduces security blind spots – parts of the network that are operating outside the knowledge of IT teams - and in doing so, prevents effective security monitoring. The acceptance of shadow IT practices also creates technical barriers within an organisation. If separate departments use their own unique setup of applications, collaborative practice will be extremely challenging and even detrimental to productivity.
Common Examples of Shadow IT
- Using cloud storage, like DropBox and GoogleDrive, to remotely access and transfer data between personal and company devices.
- Developing productivity and workflow processes outside of the corporate network, often using cloud-based applications like Trello and Evernote.
- Connecting physical devices, like USB sticks and external hard drives, directly to the corporate network, and using them to transfer sensitive information.
- Downloading instant messaging applications, like BBM and WhatsApp, onto corporate smartphones and tablets.
- Installing Skype and other forms of VOIP software to communicate between colleagues and clients.
- Downloading and accessing social media applications.
- Developing, using and sharing self-developed Excel spreadsheets and macros.
The Changing Nature of Software Purchasing
Trends towards marketing automation and Big Data analysis are liable to worsen the threat of shadow IT. Whilst most software purchasing decisions are currently undertaken by CIOs, Gartner have predicted that by 2017, CMOs will be investing more into software and applications than their IT-trained counterparts.With a less centralised system of purchasing, the importance of organisation-wide software testing and threat modelling will grow year-on-year. In order to prevent the emergence of departmental tech silos, it’ll be essential for all departments to understand the basic tenets of software security – not just IT professionals.
Minimising Shadow IT Problems
In order to resolve shadow IT issues, security and IT professionals need to employ a degree of empathy. Most instances of unauthorised application use stem from a real need for improved workplace productivity. Without officially mandated steps to satisfy these needs, employees will be driven towards shadow IT out of sheer necessity.“Many organizations focus on devices and not users to address Shadow IT. The reality is, if organizations focus on managing devices, they neglect to address the root of the issues around Shadow IT, which is the productivity needs of their workers.” – Matt Bingham, Director of Product Management, LANDESK.
Organisation-wide security awareness will also help lower the risks associated with shadow IT. In the vast majority of instances, employees are not deliberately attempting to compromise the security of their organisation, and only expose the company to security threats because of a lack of security knowledge. Security eLearning courses will help employees from all areas understand the risks of shadow IT, and encourage them to resolve their problems through proper channels.