Updated May 2019.
Shadow IT: A term that describes employees using mobile apps and personal devices without the approval or knowledge of the IT department. This trend has become increasingly prevalent in recent years, due mainly to the rise of cloud computing and BYOD.
Today’s employees no longer need the IT department to install and enable new technology for them. They can open accounts on cloud services, use personal accounts, or download apps to their personal devices and immediately begin working with corporate data and sensitive content. The rapid adoption of cloud services and the consumerization of IT has led to a drastic rise in Shadow IT. Based on Cisco Cloud Consumption engagements, large enterprises on average use over 1,200 cloud services – and over 98% of them are Shadow IT.
While this way of working is very convenient for the end user, Shadow IT puts enterprise security in a very vulnerable security position. According to Gartner, by 2020, one-third of successful cyber attacks against enterprises will be achieved through Shadow IT applications. In addition to security vulnerabilities and a higher risk of data loss or breach, Shadow IT can also result in wasted time and money, a loss of control, organizational dysfunction, compliance issues, ‘app sprawl,’ inefficiencies, and inconsistent business logic.
Business users are far less likely than their organization’s information security experts to consider the long-term sustainability and security risks associated with new technology. Without guidance from IT, they also may be acting contrary to data governance parameters and other IT controls that ensure data integrity, confidentiality, privacy, and regulatory compliance. In addition to security vulnerabilities, this can pose legal, compliance, and financial risk. The IT department can’t possibly maintain a secure work environment if employees are engaging in mobile activities that undermine organizational infrastructure, visibility, and governance.
To mitigate risks associated with Shadow IT, here are some guidelines to keep in mind:
1. Understand why Shadow IT happens in the first place. Employees turn to unsanctioned software and online tools in order to work more efficiently. They aren’t trying to cause problems, but simply accomplish the tasks at hand. Communicate with users and make sure they are equipped with all the tools they require so they don’t need to turn to Shadow IT applications. If employees bring up the same complaints, find an enterprise-approved solution to their problem.
2. Monitor the network to identify problems.One of the main challenges of Shadow IT is simply finding out where the problems are. Through continuous monitoring of the network, IT can gain insight into which employees are using unknown and unapproved devices, services, and applications.
After the initial audit, we recommend performing routine vulnerability monitoring and fraud analysis to quickly address any new risks that arise. Identify fraudulent use outside of your policy by analyzing usage, expenses, and applications from your invoices.
3. Block high-risk applications.Identify which applications pose the highest risk, and immediately prevent access and block them from the network. To begin, we recommend restricting users from accessing file-sharing applications such as DropBox.
Once you’ve blacklisted an application, be sure to offer a low-risk alternative. This will ensure that your employees aren’t tempted to circumvent security policies in order to work productively. For example, if the majority of your staff uses Google Drive to store and manage content, create a company content repository that’s lower risk, but just as easy-to-use.
4. Set and enforce usage policies.Develop a set of clear and consistent company-wide policies around approved mobile and cloud service usage, as well as whitelisted and blacklisted applications. Configure device and application rules to enforce these policies. Be willing to train employees on enterprise-approved applications.
5. Educate your staff on security.Train employees to understand and recognize the risks associated with mobility. Educate them on how sensitive data is handled and why Shadow IT puts the enterprise in a vulnerable position. The more knowledgeable your staff is, the less likely they’ll be to engage in activities that put the enterprise at risk.
Shadow IT can pose serious risks to enterprise security, and those risks are likely to only accelerate as cloud service and mobile application usage continue to proliferate. By understanding why users turn to these applications in the first place and taking the above steps enterprise-wide, your organization can minimize risk and help ensure data integrity while still allowing users to be at their most productive.
To learn more about best practices for enterprise mobility management and the latest industry topics and trends, subscribe to our blog.