How to reduce shadow IT risk and bring it into the light

July 8, 2024


shadow IT

Rob Pocock, Technology Director at Red Helix, delves into the issues associated with employees using unauthorised technology and how to monitor shadow IT.

Every day, employees are using unauthorised technology, completely unseen by the IT department and security teams.

They do so for convenience, efficiency, or necessity, often without realising the potential security risks involved.

Despite efforts to monitor this shadow IT use, much of it remains undetected until it becomes the catalyst for a cyber attack.

Shadow IT has the potential to significantly compromise a company’s security, endangering sensitive data and operations alike.

It involves the use of any device or application without the explicit knowledge of the security team or IT department, meaning it will not have been properly vetted for use.

Examples include unsanctioned video conferencing software, external cloud storage services and incorrectly configured equipment and smart devices.

It may even be something as inconspicuous as a more comfortable mouse that an employee has bought on eBay because it was quicker and easier to acquire it themselves, rather than filling in a form and waiting to get a new one from the IT department.

As shadow IT bypasses the IT department, it has the potential to become a new and unnecessary security vulnerability that can be hard to address.

But if employees are going to use shadow IT anyway, how can businesses ensure its threat is mitigated? Can it be turned to their advantage?

The threat of the unknown

Some employees use shadow IT because they want to manage or need assistance with their workload, while others are frustrated that the applications available to them are not good or adaptable enough.

Most want to remain productive at work without having to rely only on technology that the business deems appropriate (regardless of how well it might actually work).

This is especially exacerbated by hybrid and remote working models, where the boundaries of personal and work technology use can blur.

Employees who send company files across various unvetted applications, such as personal email accounts or cloud storage solutions like Google Drive, may have no idea that they run the risk of unauthorised personnel gaining access.

By 2027, Gartner predicts that 75% of employees worldwide will have created, modified, or be using technology that lies outside the visibility of the IT team – up from 41% in 2022.

But why should businesses even bother reducing shadow IT use? The crux of the problem is its lack of visibility.

When a cyber attack occurs via unsanctioned device or application use, the security teams may have no way of identifying where it came from, which can delay remediation.

When IT departments don’t know what to expect, it is harder to adequately prepare.

Companies may not even know that they have been breached.

For example, employees will often use ChatGPT and other generative AI tools to assist in their workflow, but these can create a weak link in the chain.

Employees may inadvertently upload regulated data into these tools which could leak this information to the public and nefarious third parties.

This data leakage could expose companies to legal or compliance issues.

Another example would be seemingly harmless Internet of Things (IoT) devices like smart blinds or smart light bulbs, which can become gateways to the company’s network.

Many of these devices, especially those that are neither Windows nor Linux-based, do not provide visibility of software updates or how quickly new vulnerabilities are addressed, if at all, leaving them vulnerable to security exploits.

They also frequently lack strong authentication mechanisms, meaning unauthorised personnel could access them and from there, move laterally across the company’s network.

Similarly, employees should be vigilant about accepting technology from outside their organisations, such as from trade-shows – a free power pack that interacts with a company phone could become another access point onto the network.

This more sinister side to shadow IT presents more avenues for unauthorised technology infiltration.

For example, a maintenance company might come in to fix a network printer, but without the organisation’s knowledge, they could alter the device to copy all the print jobs sent to it.

These print jobs might include sensitive information, leading to data leaks.

This scenario underscores the importance of vigilant monitoring and implementing methods for detecting alterations to sanctioned devices.

An additional problem lies in data storage.

If a company uses Microsoft for all their applications, and one employee starts saving files on a personal Google Drive account, when they leave the business that data could be lost completely.

Of course, there are some solutions to this.

Data Loss Prevention (DLP) ensures that sensitive or critical information does not leave an organisation’s network by detecting and blocking unauthorised data usage both at rest and in motion, rendering files essentially useless when unsanctioned access is attempted.

Similarly, employees can be instructed to use a web-based portal to safely interact with any IT-approved applications using a Cloud Access Security Broker (CASB).

This lets businesses protect sensitive information while adhering to security policies and keeps employees using applications that IT can oversee.

But, while these make your security environment more secure, they fail to solve the root of the issue.

Re-evaluate current technology

The solution cannot simply be trying to prevent unsanctioned device and application use entirely.

Employees want to do their job in the best way possible and if they feel that the technologies provided to them inhibit that, they will start to look at different technologies to meet their needs.

It is also important to note that their desire to use shadow IT is rarely malicious – it’s often a result of them finding the authorised tools difficult to use or not good enough to accommodate their tasks.

If employees are forced to find workarounds to complete their work, it may suggest that existing solutions are not good enough and therefore should be re-evaluated.

The best way businesses can minimise shadow IT use is to actively identify what is being used, understand why, and if possible, implement and raise it up to company standards.

Regular audits and surveys can help with this by identifying which software and hardware is lacking and where employees are seeking alternatives.

By asking employees what shadow IT they use and why, companies can also empower them to take part in the future of their organisation – employees can help businesses identify emerging tech that can aid the company the most.

This helps encourage the more tech-savvy generation to play an active role in the company’s decision-making, improving engagement.

They can even be brought on board to help upskill less tech-savvy colleagues and in turn businesses can benefit from new technology that helps them stay innovative.

However, employee surveys can go ignored, which is where a convenient extra benefit of using Security Information and Event Management (SIEM) platforms fed by log ingestion can come into play.

While its main benefit is prioritising and alerting the security team if there is any abnormal behaviour within the network, many intelligent platforms behind a SIEM can also determine which applications and devices employees spend their time using.

In tandem with surveys, companies can use this information to see exactly what technology employees favour, and then, once reviewed, companies can determine if they wish to raise it up to company standards.

By implementing technology that employees want to use, IT can improve oversight, ensuring they have eyes on any complications that arise, mitigating the risk of a cyber attack.

However, as much as companies can attempt to limit the use of Shadow IT through an open dialogue, it can still be a major threat.

Network monitoring and endpoint management can ensure the IT department can identify any devices that shouldn’t be there, keeping the company as protected as possible from these hidden threats.

Additionally, training around data use can ensure employees are not inputting sensitive data into random chat bots, or immediately turning to installing technology that lacks oversight.

Work with shadow IT, rather than against it

Businesses may never completely eliminate shadow IT, but they can minimise its negative impact.

By actively monitoring the technology in use and encouraging employees to come forward, the IT department can identify the tools and technologies employees prefer.

This insight allows the company to potentially bring these technologies up to standard and helps them prevent employees from using anything that might raise the risk of a cyber attack.

More Security News

Read Next

Security Journal UK

Subscribe Now

£99.99 for each year
No payment items has been selected yet