Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS); off-the-shelf software; and hardware such as servers, PCs, laptops, tablets and smartphones. The main area of concern today is the rapid adoption of cloud-based services, with users comfortably downloading and using apps and services from the cloud to assist them in their work. As a result, shadow IT is a rapidly growing risk to all businesses when it comes to IT continuity and security.
Why is shadow IT a threat? Serious security gaps may result when the IT department doesn’t know what services and applications are being adopted. For example, let’s say the marketing team at a company is looking to use a website analytic tool to gain better understanding of the company’s website performance. These tools are readily available online and free for a period of time from SaaS providers. A software trial is quick and easy to implement without the need to go through purchasing or IT control. Marketing decides to test out the product. With this decision, marketing instantly becomes a shadow IT function.
The problem is that the shadow IT function doesn’t follow the risk-mitigation procedures that the IT department would. IT functions put a lot of importance on the security of IT systems to ensure that business continuity is maximized. Proper risk-mitigation procedures and measures are implemented such as assessing the availability and disaster recovery provisions of SaaS providers, checking how financially stable suppliers are, and making sure security updates and maintenance are being performed to protect the organization’s systems.
Without these procedures, organizations become even more vulnerable to cyber security issues, including data loss and unpatched vulnerabilities and errors. When unapproved software runs within the network, there’s always a risk of losing data that’s critical for the company. On the one hand, there’s a reasonable chance that there are no backups of these applications and that employees who use them haven’t thought about creating a proper recovery strategy. If something happens, important data may be lost and there will be little to no chance of restoring it. On the other hand, software that the IT department doesn’t control poses an increased risk of illegitimate access to data because the administrator has no control over who is accessing these applications. When using unapproved solutions, some employees may be able to see or modify data they aren’t supposed to have access to. As long as the business doesn’t have full control over what’s going on within the network, all these possibilities exist.
In addition, software vendors constantly release new patches to resolve vulnerabilities and fix errors found in their products. Usually, it’s up to the company’s IT team to keep an eye on such updates and to apply them in a timely manner. But when it comes to shadow IT, administrators can’t keep all these products and devices up-to-date simply because they’re unaware of their existence.
Shadow IT also poses serious business risks, including inefficiencies and financial risks. Although boosting efficiency is one of the reasons why many people start using shadow IT in the first place, chances are high that the result will be antithesis. Every new technology needs to be checked and tested by the IT team before being implemented in the corporate infrastructure. This is necessary to ensure that new software works correctly and that there are no software and hardware conflicts or serious failures. Also, in many cases, shadow IT solutions duplicate the functionality of standard products approved by the IT department. As a result, the company wastes money.
What can organizations do to minimize their risks?
- Build a smarter corporate policy. Establish effective and comprehensible guidelines around the use of personal devices and the use of third-party applications and cloud services. By doing so, an organization can prevent unauthorized access to the corporate network. Businesses can also restrict access to third-party applications altogether or make data exchange between internal applications and cloud products possible only with the IT department’s approval.
- Use shadow IT discovery tools. Monitor the network to know what’s running and how resources are used and use special solutions to find out whether employees are using unapproved SaaS applications and cloud solutions.
- Educate employees on the true dangers of unapproved software.
- Give employees the tools they need. Find out what employees really need, and do the best to meet those needs so they are not turning to shadow IT solutions in the first place.
RPS provides a number of Cyber insurance solutions to diverse industry sectors. Give us a call to find out how we can assist you in finding the right solutions for your insureds.