What Is Shadow IT?
It can be defined as follows:
“Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the adoption of cloud-based applications and services.
While shadow IT can improve employee productivity and drive innovation, it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and more.”
So, why do employees still engage in this kind of activity? Apart from the “Creatures of Habit” syndrome described in the last section; employees are also simply overburdened with the entire plethora of applications that are mandated by their employer that they must use in order to accomplish their daily job tasks. Consider some of these statistics, according to a recent market research survey conducted by Skyhigh Networks:
- The average employee makes use of at least 16.8 mandated Cloud based services;
- They also make use of 2.9 required content sharing services;
- They are required to use at least 2.8 collaboration services;
- They must use at least 2.6 Social Media services;
- Finally, the average employee utilizes on average at least 1.3 file sharing services.
As a result, whenever the IT Department adds on more to this list (especially given the constant explosion of new Cloud based applications), the employee simply feels even more overwhelmed in the fear and anxiety that they will have to learn something new, which in turn will decrease their productivity levels, and could even lead to some repercussions on future employment. But apart from this, many employees simply feel that they are not getting the training they need in order to effectively learn any new, mandated software applications.
Employees want to use the software applications that they are completely accustomed to, for the pure reason to make their jobs easier, so that they can get their specific tasks done, and of course, look competent and knowledgeable in front of their direct manager. Also, employees get very discouraged when they feel that their IT Department is too slow to respond to their needs, especially when it comes to solving any technical support issues in fixing the new software application, if any glitches should occur.
So, it all goes back to the thinking of: “Why should I use this new software application when nobody is supporting me in learning how to use it or even fix it? It’s only going to waste my time. I am going to use something that I know will let me get my job done on time”.
Another factor that is influencing Shadow IT is that we simply live in a society and culture that demands to have everything right now, and right here, at this very moment. This is ever so true in the workplace. With the gargantuan advances in technology that are taking place in Corporate America today, upper management and the C-Suite are placing even further demands upon the productivity of their employees.
For example, if a CISO demands a threat spreadsheet from their security manager in just a two hour timespan, do you think that they will use the newest software application that they are still learning to use, or will they use something that he or she has used day in day out, such as Microsoft Excel? Most likely, they will use the latter.
Given all of these factors, the trend of Shadow Management is only expected to proliferate. Consider some of these statistics:
- According to a recent study conducted by IBM, 33% of the Fortune 1,000 companies currently engage in some sort of Shadow IT;
- According to a specialized CIO report, 83% of the CISOs were completely unaware that Shadow Management was even occurring at their place of business or corporation.
The Cyber Risks of Shadow IT
Although employees may think that its advantageous to use the software applications that they are already accustomed to, there are a number of serious Cybersecurity risks that are associated with this. They are as follows:
- There is an increased risk of Data Loss:
Because software applications are being used without the knowledge of the IT Staff, any kind of information or data that the employee stores in them, will not be backed up on a regular basis, even if at all. If a Cyberattack were to impact the business or corporation, this information/data will not be restored, and in the long run, could raise serious questions and even impact the bottom line. This is phenomenon is also referred to as a “Data Silo”. For example, while the employee may not have a malicious intent, keeping information and data to themselves can also lead to a huge disconnect between what they have, and what other employees have legitimate access to. It is also important to keep in mind that businesses can spend a quite a bit on rolling out new software applications, and because of that, they want to see a quick Return On Investment (ROI) on it. This is best measured by how quickly employees adapt to and start using them. But if one (or even more) employees insist on using non authorized software, this can greatly reduce the speed if realizing a positive ROI.
- Increased risk of Backdoors being left open:
When an IT Department approves and deploys software applications, they very often go through great lengths to fully ensure that are made as secure as possible. This process, in technical terms, is known as “Hardening”. In this regard, a lot of effort is taken so that there are no backdoors left behind in which a Cyberattacker can easily and covertly penetrate into. But when an employee uses a non-authorized software application package, there is no Hardening that goes with it. Although he or she may feel confident that the application in question is safe, more than likely it is not. The probability is pretty high is that there is some Backdoor that is left open, and thus, the organization is exposed to the potential of a large scale Cyberattack.
- Inefficiencies in the current business processes are introduced:
During the instances when a new software application is deployed, the IT Security Team first tests in what is known as a “Sandbox Environment”. This can be defined specifically as follows:
Sandboxing solutions provide companies with virtual environments that they can use to build, test, and deploy software. They have grown in popularity due to how accessible they are, the flexibility they provide, and the significant cost savings a company can realize by using them.
In other words, it is a sterile testing environment that is completely isolated from the production environment of the rest of the company. The software application is first tested here, to make sure that it is safe to use from a Cybersecurity perspective, as well as to make sure it will comingle well with the other business and technical processes of the organization. Once both of these have been deemed to be satisfactory, the new software application is then rolled out into the production environment of the business so that it can be used by all employees. But by using a non-approved software application, the employee puts the organization at a huge risk that new inefficiencies and bottlenecks could be introduced into the existing processes, because it has not been tested.
- New types of Cybersecurity threats could be brought in:
It is important to keep in mind that any and all of the software applications that have been approved and deployed by the IT Department, at least in theory, will be exposed to a regular software patch and firmware upgrade schedule. So at least from this perspective, this should decrease the probability of a Cyberattacker from penetrating into one of these software packages. But with unapproved software being used, it is not exposed to this regimen of receiving updates and patches. As a result, if a Cyberattacker were to ever penetrate into an employee’s workstation or wireless device, and encounters any of these exposed software packages that are not “Hardened” (as described previously), they could deploy all sorts of threat vectors, ranging from Malware to Trojan Horses to Spyware and even Ransomware. Worst yet, they could be transmitted to the entire IT and Network Infrastructure to the business or organization, just from this one infected workstation or wireless device.
- Serious compliance issues:
With the ever-changing Cybersecurity Threat Landscape of today, there have been many new laws and legislations that have been introduced in order to hold business and corporations much more accountable than they ever used to be. This is reflected in the controls and the safeguards they have to implement and maintain on a constant basis, especially when it comes to the Personal Identifiable Information (also known as the “PII”) of their customer base. It should be noted that some industries are much more heavily regulated in this aspect, such as healthcare and when it comes to HIPAA. But despite this, all organizations can now be the target of an audit by the regulatory agencies. Of course, any and all of the software applications that are being used will receive a heavy scrutinization, especially if they have been tested and are kept to up to date with software patches and other relevant upgrades. If there are any violations in this regard, the organization can be hit with serious fines and penalties. Because of this, when an employee uses non approved software applications, they put the company at a far greater risk of being heavily penalized.
- An increase in the level of third-party risks:
If an employee downloads and uses a non-approved software application, this also heightens the risk that this could also heighten the chances of an unknown third party into entering your IT and Network Infrastructure. For example, if an employee downloads non approved mobile application onto their work-related Smartphone, this will increase the probability that the company who developed this particular app can gain unauthorized access to your IT Assets through a Backdoor.
Overall, this blog has examined what Shadow IT and why it is important to an SMB, especially from the standpoint of the Cyber risks that are associated with it. A future blog will examine how to determine if your employees are covertly engaging in Shadow IT behavior, and the steps that you can take to mitigate it from happening again.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?