Do you know what every person in your organisation is doing on the web, and what data they’re moving around? Any tool or system that has not been given the stamp of approval by management or the IT department is known as shadow IT – and is a significant cyber security risk. We’re not just talking about a few unsanctioned apps: it’s about the potential for serious security breaches and compliance nightmares.
With over 25 years’ experience helping businesses bolster their cyber security, I’ve seen firsthand how employees using systems without IT’s approval is a widespread and often overlooked issue. I understand the challenges of maintaining control over your vast IT environment.
So, what is shadow IT and how do you know you have it? This article will answer just that by providing practical strategies for identifying and managing shadow IT, so you can avoid unexpected expenses and maintain a secure, compliant, and cost-effective IT infrastructure.
–
Reading Time: 8 minutes
What This Blog Covers:
What is Shadow IT?
Shadow IT, at its core, involves employees using systems and applications that haven’t been approved or even vetted by management or the IT department. This includes everything from alternate email and customer relationship management (CRM) systems to off-site data repositories and unapproved chat apps. It may seem harmless or convenient for employees to use whatever tech solutions they please, but the cyber risks are substantial.
Might Shadow IT Be a Risk Factor for Your Business?
Before we talk strategy, let’s talk a bit about why shadow IT is a huge internal security risk in the first place. It turns out that shadow IT can open up a whole can of worms – let’s unpack this scary bunch:
Security Risks
Shadow IT can introduce what I like to call ‘Trojans’: viruses and malware that sneak into your systems. This happens when data is pulled back into the business from unapproved repositories that may contain threats. Think of it like bringing a stray animal into your home – you don’t know where it’s been or what it’s carrying!
Unexpected Costs
Apart from the filed expenses, are you aware of every single service or solution every person in your organisation is signing up for? If you’re like most SMBs, the answer is mostly likely no. But you’re not alone: many businesses have stories where they have suddenly received a bill for additional hosting that they were not aware of – and no one approved.
Compliance Nightmares
When you’re auditing your data, how do you know that all your data is in one place? With data scattered across unapproved hosting environments, businesses can go from being very compliant to having no idea where their data is, making compliance impossible. This extends to AI by the way: shadow IT makes it difficult to know where your data is stored, especially when using AI to process or generate information – more on that later.
Acquisition Complications
If your business is based on a Mergers & Acquisitions model, this point is for you. During company acquisitions, shadow IT systems can complicate data audits, making it difficult to articulate the location of all data to the core business. What this means in English is, that when one company is buying another, shadow IT can throw a wrench into figuring out where all the important data is located. It’s like trying to assemble a puzzle when you don’t even know if you have all the pieces.
How to Identify and Mitigate Shadow IT
Now that we’re aware of the dangers of lurking in the shadows, let’s switch gears and chat about how to shine a light on your tech stack. A question that always pops up when I talk to my clients about deciphering whether they have shadow IT or not is, “How do you know what to prevent if you don’t know it exists?”. This is fundamental to ask because the more solutions you have in your tech stack, the more difficult it is to gauge which ones are helping or harming your business.
So, the first step in tackling shadow IT is knowing how to find it. You need to implement systems to scan your environments and see what applications your users are actively using. This may be quite daunting if you have a relatively large organisation, but tackling shadow IT doesn’t require a massive budget. There are many ways to gain visibility and control that are easy on the pocket – here are a few to get you started:
Web Activity Monitoring
Monitoring web activity helps to identify if employees are using applications or websites not approved by the business. Without this visibility, identifying shadow IT becomes nearly impossible.
Hosting Environments
More often than not, employees work on their hosting environments on platforms like AWS or Azure for short-term projects. People might think, ‘I need to get this done by the end of the week. I’ll just spin this up and expense it later’. That simply can’t happen: remember, shadow IT is any tech solution that has not been preapproved – and that includes hosting environments.
Proactive Blocking
In addition to monitoring, consider proactively blocking specific sites that employees should not be browsing during work hours, especially on work devices. This is not about blocking the obvious ‘not safe for work’ sites but has much more to do with ensuring that your company data doesn’t fall into the wrong hands.
While access to approved corporate systems should be permitted, measures should be in place to ensure employees cannot use personal accounts or methods to interact with these systems in a way that could compromise data security. What does this mean? Well, I’m glad you asked – let’s break this down:
- Allow Access to Corporate Solutions: Ensure employees can use approved tools like corporate Box accounts.
- Prevent Access with Private Details: Block employees from accessing corporate systems (like Box) using personal email addresses.
- Prevent Data Transfer via Private Email: Implement measures to stop employees from sending data from corporate systems to their email addresses.
The name of the game here is data loss prevention (DLP): ensuring that all data interactions within corporate systems are monitored and controlled. This of course prevents the unauthorised copying or transfer of data (what we in the biz call ‘data exfiltration’).
Proactive Measures to Prevent Shadow IT
With our shadow IT detectors sharpened, let’s take a look at the bigger picture and how you can prevent or manage shadow IT. Building long-term security requires a multi-faceted approach. This means that to truly protect your business from threats like shadow IT, you can’t just rely on one solution. I like to look at security at multiple levels: from individual devices to your network’s edge.
Endpoint Protection
Let’s go back to my Trojan metaphor: the antivirus software on your computer that protects it from viruses masquerading as harmless emails is basically what endpoint protection is – just supercharged and designed for businesses. “Endpoint” refers to devices like laptops, desktops, and servers. So, endpoint protection helps prevent these machines from being compromised and used to attack internal servers or Active Directory servers, which could damage the entire network.
Edge Security
Think of your company’s network as a castle. Edge security is like having guards at the castle walls (the “edge” of your network) to control who comes in and what they can do. It’s all about setting rules about where users can and can’t go, and what they can and can’t access. It gets very draconian, but from a security point of view, you don’t want your users going here there and everywhere either without that activity being monitored.
What’s worse is having a disgruntled user accessing your crown jewels (which is data in this case) – whether that’s financial information, proprietary code, or intellectual property. You want to avoid a situation where an employee shares sensitive information with competitors – which brings me to my next point.
A Quick Word on Employee-Related Risks
We can’t talk about the tech without mentioning the people buying and using said solutions. In this article, I talk about what makes your employees the biggest internal security risk, but for now, I’ll say this: Keep a close eye on employee behaviour, especially those who’ve given their notice.
Imagine this: Laura, a long-time marketing employee, hands in her resignation. While everyone wishes her well, a silent clock starts ticking in the IT department.
The IT team flags Laura’s account, not because they distrust her, but because they need to ensure company data (crown jewels) remains secure. Tom in IT then goes ‘Right, monitor what that user is doing in more detail than others’. So, they monitor where she’s going on the web and what data she’s moving around.
But it’s not just about laptops and data transfers. Be aware that sensitive information can be shared in social settings, not just through technological means.
Perhaps Sarah mentions a new marketing campaign to a friend at a networking event, inadvertently sharing confidential information with a competitor. It’s not always about malicious intent or clicking on a ‘phish-y link’. Sometimes, it’s a casual conversation that poses a risk. This is why awareness and vigilance are so important, both in the digital and physical realms.
Taking Control of Shadow IT
You now have practical strategies to start tackling shadow IT within your organisation. Remember, you’re not alone in this fight. Many businesses face the same challenges, and with the right approach, you can regain control of your IT environment.
Shadow IT poses significant risks, including security breaches, compliance nightmares, and unexpected costs. By implementing the steps outlined in this blog, you can mitigate these risks and protect your business.
As a cyber security expert at Babble, I’m committed to helping businesses like yours navigate the complex world of cyber security – after all, these things are usually best left in the hands of a trusted partner.
Take the first step towards a more secure IT environment by reading my blog, Why Your Employees Are Your Biggest Security Risk to get a comprehensive understanding of how you can keep your business safe from all angles.