With the increase of consumer cloud apps like Dropbox and the use of social messaging apps, employees may feel more comfortable using these services to collaborate and work. The concept of BYOD also gives employees more choice in what they use for business purposes. However, the use of these unauthorized services can lead to shadow IT and become a security risk. Gartner estimates that by 2020, one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources.
Source: NTT Communications
What is Shadow IT?
Shadow IT refers to any IT systems, devices, software or applications that are used by employees but are not managed by an organization’s IT team. Such examples can include an employee sharing files via Google Drive or customers connecting to your guest network.
Shadow IT can have benefits such as increasing productivity and making work more efficient for workers. However, it can also lead to security gaps.
Shadow IT as a Security Risk
Using shadow IT may seem harmless but can end up putting data at risk. Most shadow IT isn’t supported with the security functions or standards that are present in those that are managed by your IT team. And if the IT department isn’t aware of them, they can’t take the steps to make sure they’re secured. Here are three examples of how shadow IT acts as a risk.
1. Data loss: When using unauthorized software, there’s always risk of data loss. This can occur to due to a variety of ways, such as accidentally installing malware or not using a secure password. Data on shadow IT may not also be backed up with your usual backups.
2. Unpatched vulnerabilities: Software vendors are constantly releasing security patches to update the latest vulnerabilities. It’s usually the job of the IT department to ensure that these patches are installed in a timely manner. When using shadow IT, there’s a risk of unpatched vulnerabilities residing in your network. These can be exploited by hackers and used to steal data or cripple your network.
3. Compliance risks: Data being transmitted through unauthorized channels can make it harder for organizations to comply with regulations like GDPR. Shadow IT makes it harder for companies to keep track of the systems and software being used. This puts personal identifiable information at risk and can lead to regulatory fines.
3 Ways to Manage Shadow IT
Shadow IT can be complex to manage as it has both pros and cons for an organization. Policing what employees can and cannot use can lead them to feel restricted and frustrated. On the other hand, letting employees use third party software or apps can be a security risk. Here are three tips to handle shadow IT.
1. Monitor your network
In order to detect shadow IT, you need to continuously monitor your network for new or unknown devices and suspicious activity. One way to monitor for shadow IT is to use an advanced detection system like Secure IT SIEM. Secure IT SIEM will analyze data from your devices, correlate the information and produce log data, which we provide in a monthly report. Based on this data, you can identify whether external applications are being used and how often data is being uploaded and downloaded. This will help you gain visibility into your network.
2. Prioritize your risks
It’s important your employees understand the risks of using shadow IT by ensuring that controls are in place for the services with the highest risks to your network. Using measures that are already in your network like firewalls can help reduce risk by blocking access to unauthorized services. Inform employees about why you’ve blocked the certain application so that they understand the risks of using shadow IT.
3, Ensure your IT works for your business
Your IT infrastructure is an integral part of your business and should work in tandem with your overall operations. If your employees are turning to shadow IT, it may be because current IT services aren’t allowing them to work effectively enough. Make sure the software and hardware you are using works for your business. Partnering with a service provider like Jolera can help you optimize your infrastructure to meet your business needs.