“Shadow IT refers to (the use of) IT devices, software and services outside the ownership (approval) or control of IT organisations.” – Gartner
The above definition gives the idea that Shadow IT can only be carried out by malicious actors when it is actually more commonly practiced by well-meaning employees trying to do their job. Naturally, the primary mandate of any IT department or cybersecurity team is to protect the organisation and not necessarily to address the challenges of IT users within the organisation.
Some IT users opt to bypass security policies in an attempt to overcome challenges they’re facing in their day to day work through the use of information technology systems, devices, software, applications, and services without explicit IT department approval. While shadow IT can improve employee productivity and drive innovation, it can also introduce serious security risks to your organisation through data leaks, potential compliance violations, and general vulnerabilities.
The rapid adoption of SaaS has resulted in users becoming more comfortable with downloading and using apps that they feel add value to their work, whether IT approves of it or not. This is a catch-22 situation in the sense that Shadow IT empowers users to access tools that make them more productive and help them interact efficiently with co-workers and partners. However, the bottom-line is if the IT department isn’t aware of an application, they can’t support it or ensure that it’s secure. Gartner predicted that by 2020, one-third of successful attacks experienced by enterprises would be on their shadow IT resources.
However while staff may be the ones installing these pieces of software, part of the problem also lies with the organisations through the following:
- Not offering adequate support for technologies that IT users require.
- Making the governance, approval, and provisioning process too slow and ineffective. Employees may actually view the IT approval process as a time consuming bottleneck, time they can’t afford to waste.
As such users might adopt shadow IT technologies that do not align with your organisational requirements and policies pertaining to:
- Service Level Agreements (SLAs)
The modern gospel of cybersecurity includes concepts such as Zero-Trust and the adoption of a strict security posture. A haphazard and poorly considered implementation of security policy may actually create an environment conducive for Shadow IT. Finding a middle ground can allow end users to find the solutions that work best for them while allowing IT to control data and user permissions for the applications. Shadow IT is inevitable and it is up to your security team to leverage its benefits will minimising its risks.
While it’s clear that Shadow IT isn’t going away, organisations can minimise risk by educating end-users and taking preventative measures to monitor and manage unsanctioned applications. For instance, special attention must be paid to file-sharing, storage and collaboration tools such as Dropbox and Google Docs. The IT team must put themselves in the shoes of their fellow employees as this can assist them to likely predict or pick out Shadow IT amongst them. For instance, employees have been known to email sensitive work documents to their personal emails to work on those documents from home.
Steps that can be taken to manage Shadow IT include:
- scan your environment and network regularly. Detecting and identifying new devices that connect to your network gives you additional visibility into network security risks.
- enforce your identity and access policies. This process should include multi-factor authentication and requiring device authentication when they connect to the network.
- to reduce the risk unknown applications create, start by creating “deny all” network access controls. Then, you can go back and allow the applications you trust.
- train employees to be cyber aware
Although managing Shadow IT risk sounds overwhelming, you can take steps to mitigate risk while enhancing your compliance posture by leveraging solutions such as The Enterprise Immune System by Dartktrace. Darktrace deploys its own agent that analyses real-time traffic of remote workers in the same way it analyses traffic in the network, correlating a web of connections to develop an evolving understanding of workforce behaviour. The Enterprise Immune System learns and analyses workforce behaviour wherever it emerges, from clouds and coffee shops, to branch offices and the corporate HQ.
Looking for greater insights and advisory on this as well as other cybersecurity matters? Contact DataGroupIT today to speak to one of our cybersecurity professionals about the right solution for your organisation.
DataGroupIT is Africa’s leading Value-Added Distributor (VAD). By partnering with the best selection of established and emerging technology vendors across the globe, we, provide complex solutions for any size business, including Enterprise and SME markets across the African continent.
Our product portfolio offers comprehensive solutions for IT Security, Infrastructure and Enterprise Software.
We are fully committed to our business partners. Channels & vendors success is our #1 mission. Our professional teams across Africa deliver exceptional sales, presale, logistic, marketing and financial support that create the ultimate platform to accelerate our business partners’ success.
Contact Us today to find out more