What is Shadow IT

Shadow IT is a unique kind of vulnerability in that there’s no explicit attacker. And the risks that shadow IT entails are mainly unintentional. But that doesn’t make it less of a concern; one of its most prevalent risks is sensitive data leaks, which can be devastating to an organization.

This post looks at what shadow IT is, what risks it poses, and how you can mitigate those risks.

What is Shadow IT?

Shadow IT happens when members of an organization start using IT systems (devices, software, services) without the approval or knowledge of the organization’s IT department. With the rise of cloud-based applications, shadow IT has become much more common.

Shadow IT isn’t an attack, per se, and can even have the benefit of improving employee productivity. But it nonetheless introduces some serious vulnerabilities within the organization, such as data leaks and potential compliance violations, among other things.

What drives shadow IT?

It comes down to three main factors:

  1. Employees’ desire to work more efficiently and get things done
  2. The sheer number of devices, applications, and services that are easily accessible today – particularly cloud-based applications.
  3. The rise of bring-your-own-device (BYOD) policies in the modern workplace

Many employees feel that they need to work around their organization’s stringent security policies to do their job. They may know a more convenient file-sharing app than the IT department-sanctioned file-sharing app. Once they begin using the unvetted app, its use could spread within the organization, creating a blind spot for the IT department, which has no visibility into its usage.

Also, we don’t really use packaged software much anymore. These days, you can download almost anything with a few clicks. So the risks of shadow IT have never been greater.

Add to that the fact that many organizations allow their employees to bring in personal devices to use for work purposes, and you can see that the door to shadow IT is pretty wide open in most workplaces.

Examples of shadow IT

  • As mentioned above, it could be an individual or a department (shadow IT tends to grow once introduced) within an organization adopting a different file-sharing solution than the rest of the organization uses for whatever reason (features, ease-of-use, availability, etc.).
  • A marketing team member using an online graphic design tool to create custom graphics for a new campaign.
  • Employees exchanging proprietary information using their personal email, WhatsApp, or Telegram accounts.

Shadow IT connection points

A major problem with the use of unauthorized apps for work is that employees aren’t using these systems for their own pleasure – they use them for business-related tasks, so there is always going to be a point at which data needs to be exchanged between the unauthorized apps and the business’s system.

For example, the tasks performed on these external systems will, at some point require the input of the business’s data or output from these apps into the business’s system.

The connection points between the IT system and unauthorized apps create major vulnerabilities. App permissions, casually granted, allow these unauthorized apps access to the business’s resources. This allows the possibility of poorly scrutinized apps from leaking data, either by malicious intent or through poor security, within the application. These connections can let data out and viruses in.

Fortunately, these connection points give system administrators a chance to track unauthorized applications. By examining access to authorized SaaS and on-premises systems, it is possible to spot where third-party software that hasn’t been approved is connecting to the business’s services.

Risks of shadow IT

Because of the nature of shadow IT, the associated security risks aren’t immediately obvious. The list below comprises the most common risks relative to shadow IT.

Loss of control and visibility

The more your proprietary data flows through shadow IT channels, the less control and visibility your organization’s IT department can exercise. That can lead to an inability to perform disaster recovery measures, security and regulatory non-compliance, and data loss. If your IT department doesn’t have visibility into the organization’s data flows, it may have a harder time properly reacting to IT issues.

Data Loss

As mentioned above, data loss is one of the most common risks associated with shadow IT. Your organization can easily lose access to shadow cloud-based data, for example, when that employee leaves the company. Employees could use their personal Dropbox or Google Drive account to store customer contracts, meeting notes, and sensitive company reports project documentation. If one of those employees leaves the organization, for whatever reason, it may be difficult to regain access to that information because it’s stored in that user’s personal account. And paid cloud services may be swiftly terminated once users stop paying their bills.

Costs

The more your organization uses shadow IT resources in their day-to-day, the higher the chances of those shadow IT components becoming a critical part of your projects. Once you’re in that situation, suppose you need to scale those resources to finish the job, the cost incurred by the organization to continue using the service may well be too high to be justified. That is a common concern with software as a service (SaaS) applications such as online storage services.

IT inefficiencies

Storing and using data in different and unaccountable silos within your organization is inefficient. If the organization is not aware of its own data flows, the IT department will not be able to properly plan for capacity, system architecture, security, and performance across the organization. Analysis and reporting become more complex and less reliable, which in turn can cause your organization to lose both time and money.

Compliance issues

If your organization must adhere to stringent compliance requirements, such as government contractors, for example, the risks posed by shadow IT can have wide-ranging consequences. Shadow IT will either cause you to fall out of compliance or create additional audit points where your organization will need to provide proof of compliance.

Let’s say the employee of an organization working in a government contractor capacity stores sensitive government data in their personal cloud storage account. Your organization may well be required to audit, identify, and disclose the scope and impact of that “breach” for each data point in question.

On top of potentially exposing sensitive information to cyber-attacks, your organization may also face lawsuits and fines for non-compliance, which along with being costly, may also damage your brand’s reputation.

Distributed Denial of Service (DDoS) attacks

DDoS attacks typically imply hijacking poorly protected connected devices. That could be an employee’s BYOD smartphone or a connected Internet of Things (IoT) device. Once the device is compromised, it’s used to bombard the network’s Domain Name Server (DNS) with requests to the point of causing a significant slowdown in the processing of requests, potentially resulting in the network crashing.

Unsecured devices are prone to ransomware and other malware

The more unsecured devices have access to your network, the higher your risk to all sorts of online threats will be. Ransomware and other malware that finds itself on a device with access to your organization’s network, through a phishing campaign or an accidental download, can wreak havoc on your infrastructure and lead to critical data loss.

Expanding your attack surface

The more shadow IT resources are used inside your organization, the bigger its attack surface becomes. Organizational attack surfaces increase with shadow IT, but your organization’s IT department won’t know how big it is until it’s aware of every shadow IT component being used internally.

Shadow IT means having unmanaged data repositories outside the organization’s security boundaries. And something as silly as weak or default credentials could expose those unmanaged assets to the Internet. On top of that, your organization’s penetration testing, intrusion detection, security information, and event management (SIEM) systems, or threat log management won’t be able to cover shadow IT, leaving you potentially exposed.

Shadow IT statistics

Here are just a few statistics relative to shadow IT from 2020 (source: track.g2.com):

  • 80% of workers said they used SaaS applications at work without IT approval.
  • Shadow IT cloud usage is estimated to be ten times the size of known cloud usage.
  • The average company has around 108 known cloud services vs. 975 unknown cloud services.
  • 35% of employees claim they need to work around their company’s security policy to get their job done.
  • Approximately 21% of organizations do not have a policy relative to the use of new technology.
  • 67% of teams use their own collaboration tools in their day-to-day.

More recently, research carried out by UK-based IT specialists Camwood revealed that 53% of CIOs and IT Directors were “unable to confirm exactly how many applications were running on their estate.” Another report, this time from Kaspersky, found that, of the 85% of companies that had experienced cyber incidents, 11% of them were “attributed to the unauthorized use of shadow IT.”

How to mitigate the risks of shadow IT within your organization

The following tips should help you mitigate the risks of shadow IT. You should strive to implement as many as possible.

  • Have an explicit policy in place – You should make sure your organization has a shadow IT policy in place and that it’s adequately communicated to the entire workforce. Your first line of defense against the risks of shadow IT should be mindfulness. Your workforce should understand the risks that come with using unvetted software, hardware, and cloud services.
  • Have a simple approval process for new tools – Discouraging your workforce from experimenting with and proposing new and better tools to get the job done isn’t a winning strategy. Not only do you want contributions from your staff to make your operations smoother and more efficient, but that rigidity could also stifle innovation within your organization. Implementing a clear and straightforward approvals process for new software and tools is a better option. That way, employees will feel comfortable coming to IT to discuss the possibility of using new tools, and IT will continue to have visibility into what’s going on and can properly secure the organization’s infrastructure.
  • Manage user permissions – Managing users’ permissions on your organization’s network is something you should be doing, regardless of shadow IT risks. It’s a practice that can save you a lot of trouble if any of your users’ devices are compromised. Managing user permissions will compartmentalize the damage that can be done in case of a breach. Within a shadow IT context, setting the user permissions to disallow the installation of “foreign” software or to disallow unknown devices from connecting to the network is likely to compel your users to go to the IT department and discuss the issue. Coupled with the above point, this would lead to the software, service or device being officially approved, preserving IT’s capacity to know what’s happening and secure the network.
  • Set up endpoint protection and monitoring mechanisms – One of the main reasons shadow IT is considered a threat is because endpoints are a common target for malicious actors. By putting in place robust endpoint protection and monitoring mechanisms, your organization will be in a position to identify suspicious activity and react quickly to it.
  • Reinforce DNS security at the network level – Most enterprise networks rely heavily on DNS. Because of that, DNS servers are a common target for malicious actors, as the DNS server may harbor valuable information about the network. Common security tools, like firewalls and proxy servers, don’t usually focus on DNS. However, once secured, the DNS server can be your first line of defense. By monitoring your network’s DNS, the IT department can detect network anomalies and gain visibility into the devices joining or leaving the network, enabling a shorter response time in case of issues.
  • Make sure to use a cloud access security broker (CASB) – A CASB is software that can monitor activity between users and cloud applications and enforce security policies. Most CASB software can be integrated with security information and event management (SIEM) systems, streamlining your log collection and enabling your IT department to correlate cloud usage with other activities.
  • Have an automated asset management tool – This will allow your IT department to scan for unauthorized hardware, software, and services.

Conclusion

So there you have it. Shadow IT is a unique kind of vulnerability – one based on human behavior. The risks that come with it are pretty massive, so it’s vital to keep shadow IT in mind when trying to secure a network – even though it may not be the first threat that comes to mind as you attempt to secure your infrastructure. Defending against the risks of shadow IT requires a mix of policy (human behavior) and technical defenses (CASM, SIEB, endpoint protection, etc.).

Hopefully, the above will help. And with a bit of luck, you may never have to deal with the aftermath of shadow IT.

Stay safe.