Shadow IT In the Cloud - Mitigating the Risks
Shadow IT is an umbrella term used to describe projects, applications, hardware, and services that an IT or cybersecurity department doesn’t know about.
It should be the job of an IT department to help the rest of the company achieve its business objectives. However, IT teams are worried about cybersecurity and are loath to approve anything they cannot have visibility or control over.
Therefore, when they make it difficult to adopt new technologies, employees or entire departments will implement apps under the radar.
Is Shadow IT a Problem?
What’s the harm in letting employees use a few cloud-based services at work? Well, a SaaS-based collaboration tool here, a web-based file-sharing app there, and suddenly your data is everywhere. With more apps come more gaps in cybersecurity.
Shadow IT is growing at a phenomenal rate, and judging by the figures, it is here to stay. Gartner estimates that approximately 30-40% of an organization's IT spend is going toward shadow IT. They also estimate that a third of cyberattacks on organizations will be focused on their shadow IT apps.
The problem isn’t that one or two employees sign up for a SaaS-based app; it’s when lots of people and whole departments do that it becomes a gaping cybersecurity problem.
Preventing employees from installing random software in their work machines is easy for an IT or security department. But stopping them from signing up for a new online service and storing your sensitive business data and communications on it is a whole new challenge.
To start, they have no visibility over the data in that service, or how employees are using it. This creates a lot of problems with privacy and data management regulations. If a breach occurs, it’s hard to know where data is and what has been compromised. In short, shadow IT makes a mockery of carefully-crafted security policies and controls.
Examples Of Shadow IT
The research and advisory firm Gartner defines shadow IT as “software, services and hardware that operate outside of the control of your IT department”, meaning any kind of technology that your employees use in the workplace that your IT team does not control. This includes third party productivity apps like Slack or Trello, instant messaging apps on company endpoints like WhatsApp or Snapchat, and cloud storage services like Google Drive or Dropbox. Shadow IT can also include any personal email accounts that your employees use to conduct company business on and personal (BYOD) devices they bring into the office and use for work.
All of the above is widespread, according to a study by Cisco up to 80% of your employee’s software has not been vetted by your IT department and this is not just a problem which is limited to your non-technical employees. To further compound matters more than 83% of the staff in IT departments admit to using apps and services which are unsanctioned by corporate policies and just 8% of the businesses surveyed know how much shadow IT is being used in their business, which is a staggering (and worrying) statistic when you think about it.
So how do you deal with this problem? Here are Digital Hands top five solutions. While they may not work for every business, they will provide solid food for thought.
Properly Lock Down Networks
A quick fix is to lock down networks to the services such as Box and Dropbox that you don’t want your employees using. Implement rules in your IDS/IPS to identify sensitive data such as Social Security Numbers and Credit Card Numbers. Consider products like a Cloud Access Security Broker (CASB) that gives you visibility into the cloud services your employees are using, quickly work out how risky they are, and identify potential security issues that could arise from unauthorized shadow IT services.
Once you have gained visibility and control over your shadow IT, you can develop security policies to block or allow the services you want being used on your network. Be aware that your users adopted shadow IT for a reason and will always find a way to use a cloud-based app or SaaS-based solution if they want.
Properly Lock Down Data
The real risk that comes from shadow IT is that sensitive corporate data will end up on the internet in a place where you can't secure it. Lots of cloud-based services are not very secure, and they may even leak your data themselves through bad security practices.
To avoid this, use tools that let you restrict the way your data is accessed by building your own private cloud data service and heavily restricting how that data is transferred. If your corporate data can’t leave this secure environment, it can't end up on unauthorized shadow IT services.
Listen to Employees
Your employees are probably adopting shadow IT because you aren’t providing the solutions they need to achieve their business objectives or solve their problems. Or, they don’t like the solutions you do provide.
If your employees are using Dropbox to share files, it’s probably because your own document sharing solution isn’t great or too difficult to use. You need to listen to shadow IT adopters and work out if they simply need more training or if it is easier to secure their chosen services in a way that is acceptable to your corporate/enterprise cybersecurity policies and posture.
You could also consider strengthening your controls over their expenses. Lots of SaaS-based services are free, but the most useful ones need a subscription to use, especially the solutions that offer the features which make them most attractive to enterprise employees.
Your employees will often sign up for these services using their own credit card (because it’s easy) and then claim that expense. Deal with this either by refusing to honor shadow IT expenses or insisting that the expenses will only be paid if your IT or security department has visibility and a say into their use of those services.
Don’t Drop the Ban Hammer On Everything
Consider the idea that shadow IT is a new and improved way of working, one which makes employees more effective at their jobs with the freedom to solve their own problems. If you work with employees rather than banning everything they want to use, not only do you make them happy by giving them what they want, but you also gain more control over their use of those resources.
Plus, it increases the chances of employees choosing a web-based service that is on an approved list.
You may have already lost the battle and decided to just go with shadow IT rather than fight it. Many organizations have avoided the problem by permitting their employees to use these services, trusting them to follow security policies. This is roughly the same approach taken with the bring-your-own-device (BYOD) trend, and it worked fairly well.
Shadow IT is the reality for most major organizations these days. You can decide to work with your users and come up with ways to securely enable their use of the services they want to use, or take a hard line and crush all dissent around their shadow IT use.
In any case, it is important to acknowledge that shadow IT is here to stay and develop strategies, policies, and plans to ensure that your organization isn’t leaking any of your sensitive data. Don’t just ignore the problem; it will eventually turn into a crisis.
Contact Digital Hands
Digital Hands employs a deeply experienced team of cybersecurity professionals who can help your business get to grips with shadow IT.
If you or your partners need a competent security services provider to ensure that you are making the right moves, or if you have any questions around shadow IT, get in touch with Digital Hands today by calling (855) 511-5114.