Posted by Bill Sengstacken ● 4/28/21 4:27 PM
The Risks of ‘Shadow IT’ and What Organizations Can Do About It
Your team members mean well. They’re not nefarious ne’er do wells. Yet every day, someone is installing an app, copying files to a device or file server, or using a SaaS solution that they feel that they need to better do their job. Collectively, these unauthorized apps, devices, and solutions are known as “Shadow IT”.
Unintentional or not, when employees use Shadow IT, they are potentially introducing unacceptable risks to your systems and could be offering a gaping security hole for hackers to exploit.
Even if you lock down your company-issued equipment, it can be difficult to get people to stop using their own solutions, computers, tablets, or other devices to get some work done at home. They might upload work files to DropBox or OneDrive. They might simply copy files onto a USB flash drive. That may seem innocent enough, but should that flash drive contain a virus or an exploit, it could introduce a massive problem for you to resolve.
Of course, the risk isn’t limited to file servers and flash drives. The apps themselves have the capacity to bring your network and operations to their knees. Trojan horses, viruses, phishing, and other attacks often use Shadow IT to get past your firewall and other defenses. Even something as seemingly innocuous as a macro for a spreadsheet could have an exploit.
It’s enough to give an IT Manager heartburn.
Okay, now you know there’s a problem. So what are you going to do about it?
Talk and Listen to Your Users
It may seem obvious but talk to your team. Have an all-hands presentation to talk about Shadow IT, and the risk it poses. Then, ask that anyone using them to please stop. Help them to remove anything that shouldn’t be there. Have an amnesty period for this to happen.
That won’t be 100% effective, of course, but extending the olive branch as your first move will help to mitigate any friction between IT Management and the users. You might want to consider creating a presentation that covers the risks from Shadow IT, along with some real-world examples of companies or organizations that had real issues that stemmed from the use of Shadow IT applications.
Record the session and make viewing it a part of onboarding new employees. Also, consider holding refreshers at least once per year to keep Shadow IT risks top of mind.
Taking these steps will help to get non-compliant team members to “see the light”. Then it becomes much easier to get them to remove any offending apps from their devices. Again, you shouldn’t be looking to dole out punishments. Be forgiving about the past, but take a firm stance going forward.
Check Your Network
While there are some potential legal ramifications, depending upon the laws of your country, another option is to use a network monitoring tool that can identify inbound and outbound traffic as well as the source.
Anomalous data traffic or unauthorized port usage is usually a good indicator that something is amiss. While the software you may use to perform this function varies, if your goal is to identify the user or users who are using unapproved apps and services, this is an option to consider.
Again, before doing this, be sure that using a tool like this won’t violate any privacy laws that may be in place.
Give the People What They Want
As mentioned at the top, the people using Shadow IT apps and services likely do not have evil intent. They may have compelling reasons to use an app that is normally out of bounds. These reasons can vary, but if there is a case to be made to allow the use of an app or a set of apps, consider expanding the list of approved apps to accommodate their use.
While yours may be an accounting firm, as an example, the marketing department probably has a legitimate need to use the Adobe Creative Cloud suite of applications. You may allow the use of these apps, but require that all generated files be stored on your secure server as opposed to using Adobe’s cloud storage.
Others may explain that they can get more work done or be more efficient with non-compliant applications. They may have a legitimate point, especially if you’re using technology that’s outdated.
For example, your organization might still be using Lotus Notes, but your users report that they can get more done with Google Workspace. With Workspace apps like Google Docs, an employee can begin work on a document on a desktop or laptop, and then continue to work on it with a tablet or a smartphone.
If you are open to Google Workspace but need better controls on governance, access, and compliance with any regulatory oversight, then look for a document management solution integrated with Google Drive and Workspace. Indeed, it might be time to truly evaluate what other systems you have in place that could benefit from updates or replacements.
Where in the past the desire was to have on-prem systems because they were perceived as more secure, that’s no longer the case. A secure SaaS alternative to your legacy on-prem systems will likely result in fewer maintenance efforts for your IT team. You won’t have to worry about applying patches or shutting things down in the dead of night to perform an upgrade.
Users will also gain a big benefit as they should be able to work from any location so long as they have an internet connection. As remote work suddenly became everyone’s normal thanks to COVID, the ability to securely work and collaborate from disparate locations became mission-critical.
As you explore this route, you should also see if real work can be performed on mobile devices with the systems under consideration. Collaborating on a document or responding to a workflow alert with mobile devices will certainly increase efficiency.
In summary, your best first move to mitigate the risk of Shadow IT is to make sure your organization knows about the risks associated with using unapproved apps. Offer an amnesty period to allow users to “self-report” any unauthorized apps and services they may use. Moreover, work with your users to see if there are ways to accommodate the perceived need to use an app, while still enforcing access controls, compliance, and file storage policies.
Do this right, and not only will you be able to dramatically reduce your security risks, but you’ll also be seen as a partner and not an adversary.