Security threats associated with shadow IT
As cyber threats and remote working challenges linked to COVID-19 continue to rise, IT teams are increasingly pressured to keep organizations’ security posture intact. When it comes to remote working, one of the major issues facing enterprises is shadow IT.
End users eager to adopt the newest cloud applications to support their remote work are bypassing IT administrators and in doing so, unknowingly opening both themselves and their organization up to new threats.
You’ve probably heard the saying, “What you don’t know can’t hurt you.” In the case of shadow IT, it’s the exact opposite – what your organization doesn’t know truly can and will hurt it.
Shadow IT might sound great at surface level if you think of it as tech-savvy employees and departments deploying collaborative cloud apps to increase productivity and meet business goals. However, there’s a lot more going on below the surface, including increased risk of data breaches, regulation violations and compliance issues, as well as the potential for missed financial goals due to unforeseen costs.
One solution to risks associated with shadow IT is to have workers only use cloud apps that have been vetted and approved by your IT department. However, that approach is oftentimes not possible when shadow apps are acquired by non-IT professionals who have little to no knowledge of software standardization. Additionally, when shadow SaaS apps are used by employees or departments the attack area is hugely increased because many are not secure or patched. If IT departments are unaware of an app’s existence, they can’t take measures to protect companies’ data or its users.
Another solution that organizations use is attempting to block access to cloud services that don’t meet security and compliance standards. Unfortunately, there is a vast discrepancy in the intended block rate and the actual block rate, which Skyhigh Networks calls the “cloud enforcement gap” and represents shadow IT acquisition and usage.
Let’s take a closer look at repercussions of shadow IT usage. Below are some potential ramifications.
Increased risk of data breaches
While some companies such as Microsoft have a disciplined approach to updating and patching on-premises products, not all software providers have the same rigorous approach to security. This and the fact that IT/security departments are unaware of some apps being used by employees creates a perfect storm. Not only is IT unable to run updates for unpatched or out-of-date SaaS software, but there is also a significant lack of control over enterprise data.
Once an IT team loses control over the software being deployed on its network and enterprise data is exposed by shadow IT, they are no longer able to control who has access to that data. In this scenario, confidential enterprise information is completely unprotected and susceptible to all kinds of breaches whether by former employees, insiders or sophisticated attackers.
Compliance issues and regulation violations
Due to users acquiring shadow IT applications, common risk assessments and preventative measures are typically not performed prior to running unauthorized apps. This often leads to users violating existing compliance guidelines established by their company and runs the risk of severe fines.
Shadow IT also exposes companies to the possibility of violating regulations, including SOX, GLBA, HIPAA and GDPR (among others), due to the fact that a majority of these regulations (if not all) touch on data flows and/or storage. When employees employ shadow IT, they are often storing data in unknown and unvetted locations. This lack of security often leads to compliance violations, data breaches and, ultimately, fines.
Missed financial goals due to unforeseen costs
According to Gartner, shadow IT represents as much as 30% to 40% of total IT spend, which can be attributed to several factors. Oftentimes, users and departments buy shadow solutions within a similar product category already covered by company-wide enterprise agreements, doubling up on capabilities and spending budget without the IT department’s knowledge. And, depending on who pays the bill, shadow IT tends to skew reporting, decreasing efficiency due to time consuming audits and redundant tasks.
Solutions to help manage shadow IT
At the end of the day, you want to make sure you are providing IT teams with a SaaS management solution that brings visibility into the usage, renewal schedules, costs, policy enforcement and security to avoid the consequences of shadow IT.
One option is to introduce broad SaaS management and discovery capabilities to track apps using a number of discovery methods. This would provide IT departments with a full picture of their SaaS environment including all applications and users through a single dashboard. SaaS management solutions also have the potential to educate users on the apps available through the business, choose the best solutions and utilize those platforms to their full potential.
While companies work to increase employees’ knowledge of software apps and security risks, generally speaking we still have a lot to learn when it comes to enterprise security and shadow IT. Companies should embrace new technology and apps in a way that keeps their enterprise data protected, network secure and helps employees reach peak performance levels.