What is shadow IT and how do you manage it?

There used to be a time when the IT within an organisation was exclusively provided and approved by that organisation. CIOs might look back on those days with fond memories of security, compliance and low risk. If you had an IT problem, the IT department would sort it – after all, no one else could.

Today there’s the “official” IT department way of doing things and there’s the unauthorised or “shadow” solution – the one the organisation doesn’t know about. IT users, keen to find a workaround for their problems, are less patient, more informed and much more inventive. And, while this activity comes with security and compliance risks, the more enlightened organisation may appreciate there’s something they can learn – if they are prepared to get to the root of the causes.

If, to quote Peter Drucker, you “can’t manage what you can’t measure”, then you certainly can’t manage (or secure) what you don’t know about. That’s why shadow IT has become such a big security issue, making it more difficult to comply with many security-related regulations, not the least of which being GDPR.

This article looks at what causes incidents of shadow IT, where the risks lie, and how the organisation can both manage and learn from it.

The motivation behind shadow IT

Wikipedia defines shadow IT as “any application or transmission of data, relied upon for business processes, that is not under the jurisdiction of a centralised IT department.” That means the IT department did not develop it or was not aware of it and does not support it.

In many cases, shadow IT is a well-intentioned initiative. People want to get their jobs done, and the solutions they feel they need are no longer the sole domain of the IT department. In many respects, shadow IT is a legacy or extension of BYOD (Bring your own Device). We are just too used to using our own devices and finding our own workaround solutions – just like we would on our IT at home.

IT users are busy, they often want to:

• Save time, get on with the job and meet deadlines
• Access and share data quickly and often remotely
• Avoid complex IT policies and “going through” IT
• Work with software they are familiar with and can purchase easily
• Work with something compatible with their own devices.

Organisations are not helped by operating dated IT infrastructure that only frustrates business requirements, putting pressure on IT users who can see a quicker fix than waiting for any official solution.

What’s more, the cloud has made it much easier to purchase software with many low-cost or free apps from a vast number of SaaS (Software as a Service) providers.

Examples of shadow IT in practice

Typical shadow IT “workarounds” are commonplace, using apps, software and sometimes hardware (e.g. Wi-Fi/Mi-Fi) many of us are familiar with. The popularity and everyday use of these can make them seem like standard practice, whether they are officially approved or not.

They often include:

• Use of WhatsApp and other online messaging services for organisational business
• Use of USB flash drives and other portable data storage devices
• Gmail and other email service providers outside of the organisation
• Dropbox, Google Docs and other document sharing
• Skype and other online VOIP (Voice Over Internet Protocol) software.

How commonplace is it?

Thanks to the ease of the cloud and availability of such services, McAfee data suggests 80% of workers have admitted to using SaaS applications at work without IT department approval. With the use of Google for research and the ease of download with just a credit card – it’s a lot faster and easier to source a shadow IT solution than to approach the organisation’s IT department and wait for an approved solution.

And here’s the big scary number – according to Gartner’s Top 10 Cloud Security Predictions, by the year 2020, a third of all successful attacks on businesses will be against their shadow IT resources.

Where do the risks lie?

• Increased risk of data loss. The IT department can’t back up software they don’t know is present in their networks. If the data lost is critical to a business or its customers, the loss could have serious consequences with the possibility of fines.
• Increased risk of data breach. The IT department will not know who has access to data as it is effectively under their radar. No records will exist of who is seeing, copying or transferring data. Not a good thing for those who need to comply with GDPR.
• Increased cyber security risks. Hackers often access the weak spots in software to gain illegal access to data and systems. Software vendors try to prevent this by issuing patches where they are aware of vulnerabilities. That’s fine when the organisation knows what software is being used. When it doesn’t that’s good news for the hacker as the weak spots won’t be rectified. In many cases, the software being used in shadow IT is designed for domestic purposes and doesn’t meet the strict security and governance needs of an organisation.
• Increased risk of non-compliance. The presence of unmanaged data, software and hardware makes it impossible to meet security standards such as PCI-DSS (Payment Card Industry Data Security Standard) and regulations such as GDPR.
• Increased risk of importing malware. There have been multiple cases of software having malware attached to it.  If your IT users introduce unofficial software into your organisation, the risk of malware increases.

Risk appetite

The issue using of shadow IT is really one of risk appetite. It may be the IT department has a business-endorsed risk appetite and its approach to cyber-based risk is relatively high; presumably in this scenario it’s better to let the business get its work done than developing overzealous security controls.

Or it may be the business-endorsed risk appetite is extremely low; the business impact of a cyber incident would be catastrophic for the business, and therefore, strict adoption of the security controls is essential.

Neither of these approaches is “wrong” it’s a business decision based on the unique attributes of the business.

If anything is wrong it’s businesses without a risk appetite and means to understand and develop a risk-based approach to cyber security. They may be stifling innovation when there is no need to, or conversely exposing the business to increased cyber risk without an appropriate level of business benefit.

Mitigating and managing shadow IT

We live in a time of high-profile data and security breaches. Shadow IT is an obvious contributor to risk but, as we’ve discussed, there are reasons why people take that risk. So, understanding the causes and motivations for shadow IT is a good way to start.

If you are able to identify the reasons why your IT users are turning to shadow IT and propose workable solutions, you will stand a better chance of reducing both the problem and the risk that comes with it.

It’s a little like your IT users are your internal customers – how can you keep them onside, rather than have them do their own thing?

Our suggested questions to ask your IT users:

• What are the frustrations that led to the IT department being bypassed?
• What are their challenges, and why and how did their solutions make their life easier?
• How can you help them implement the IT they need?

Our tips for the IT department:

As with any attempt to manage a situation, the best results involve understanding all sides of the problem. It involves a communication process and being prepared to learn from what you hear back. Here are some talking points to get the conversation going:

Is your approval process taking too long? Perhaps IT is perceived as too controlling? Your IT users want to move with pace and innovate – are you holding them (and your business) back?

Are your policies and guidelines pragmatic and clear? Your existing rules, requirements and policies regarding app and data usage should be based on your risk appetite, be clear and properly communicated. To avoid confusion, they should be simple and easy to understand and not too restrictive, where possible.

Do your IT users properly understand the risks? You need to get them to understand the problems that shadow IT resources pose – and why you adhere to the security approach you’ve adopted.

Are some solutions OK to use? For example, and depending on the risk appetite, many end-user apps and reports are built within the framework of third-party software that comes with comprehensive governance and security standards in place.

Can you learn from their innovation? Your IT users may have developed an effective solution that serves their needs best. Provided it can meet the appropriate security and governance requirements, could it be adopted and bring benefits?

In conclusion

Shadow IT is an obvious security risk, and while the IT department has every right to put security controls in place, there may be room for compromise. By better understanding what your IT users are trying to achieve with their shadow IT solutions, you’ll be better able to serve their needs and manage IT security.

You may also find that, while they might have bent the rules, they may also have been working in a more agile and efficient way which could benefit the business. With transparency and the right security measures in place, the organisation could be stronger for it.

The way forward relies on a better understanding of both side’s needs – and in particular, where shadow IT sits in relation to the organisation’s risk appetite.

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about a range of topical cybersecurity issues. You might also like to receive our quarterly newsletter. Sign-up details below.

If you want to evaluate where security risks lie within your organisation, why not take our free online risk assessment and receive feedback and suggestions?

If you’d like to discuss any aspect of IA and cyber security, please get in touch, using the contact details below.