Financial Services Ireland

Insights

The hidden risks of shadow IT and what it could cost your business

Read more


What is shadow IT and why should it be a C-suite consideration?

When employees, contractors or third parties use unauthorised software or hardware for any reason, it can have consequences for your business. This practice, called shadow IT, can increase innovation and agility, but it can also expose the organisation to significant risks.

Today, users can get any kind of cloud technology they wish with an internet connection and a credit card. These “solutions” might help to achieve a short-term goal, but they haven’t been signed off, and aren’t compliant with written policies. Your corporate IT security can’t protect what it can’t see and isn’t aware of.

Shadow IT can be a significant risk. For example, an employee uses a cloud-based operating system for testing. That system is not online when your vulnerability scanner checks your network. The vulnerabilities this causes are unresolved, and unknown to the IT Security team.

Some common examples of shadow IT
  • The installation or use of an unapproved web browser,
  • Cloud storage access tools such as Google Drive, Microsoft OneDrive or Dropbox,
  • Unapproved virtual conferencing applications like Skype or Zoom,
  • Productivity software such as Grammarly or, in the case of software developers, Notepad++ and FileZilla.

More complex examples would be multiple cloud instances being used to run operating systems for development or testing which have the potential to process confidential data. Databases are another example, with Microsoft Azure SQL and Amazon Relational Database Service being popular cloud-based choices which could easily become shadow IT within any size of organisation. Remediating shadow IT now is the best course of action since, as we will discuss below, it can quickly escalate and the implications for your business increase.

Shadow IT has become a concern for many companies in recent years

The increase in shadow IT has been driven by a desire to avoid the complexity of organisational approvals for spending, the need for greater efficiency and to facilitate innovation faster.

Today’s technologically-savvy staff and are less likely to want to wait for the IT team to evaluate and approve a technology or system. They are driving towards adopting agile ways of working and improving efficiency but are unaware of the risks being introduced. Shadow IT is often found in organisations with a lot of operational technologies such as clinics, hospitals, transport operators and manufacturing companies.

Teams such as developers, application and IT support staff primarily make use of shadow IT. Shadow IT traditionally meant a desktop system or a server being used under someone’s desk. Today, the availability of cloud services means that the scale of the issue can become huge while remaining potentially invisible to an organisation.

One in five organisations have experienced a cyber breach due to shadow IT

A Forbes Insight survey in early 2019 found that one in five organisations have experienced a cyber breach due to shadow IT. IT and security teams are struggling to maintain inventories[i] of authorised and unauthorised devices. They can’t accurately estimate the number of assets in use, especially in the case of cloud services. But it’s not just hardware.  Unauthorised software purchased by individuals or business units and the use of cloud services without approval is making the situation worse and increasing the risks.

As 5G devices become more common, Gartner has predicted the number of devices in an organisation could triple. Gartner surveys have shown that between 30% and 40% of IT spending in enterprises can go to shadow IT. This can hamper digital transformation since data can be permanently at rest, trapped in silos or mislabelled. This can lead to your own staff misusing and disclosing data. If third parties have access to enterprise data via a connection to your network, the potential for a data breach also exists.

Gartner previously predicted that by 2020, one third of all cyber-attacks will be from an organisation’s shadow IT. Separately, a study by EMC estimated the global data loss due to shadow IT was approximately $1.7 trillion per year. Part of this large cost can be attributed to cloud data breaches (an organisation may not be aware it has cloud data storage and duplicated licenses). Risks of this magnitude and potential cost cannot be ignored.

What can organisations do to reverse the trend?

To address the issue, businesses need to perform better than shadow IT. For example, if shadow IT was implemented to take advantage of a time-limited opportunity, consideration should be given to the fact that if it is removed, the organisation could lose revenue.  The solution and the business will need to perform better than the shadow IT solution because removing it may hurt the business financially. Whoever originally implemented the shadow IT shouldn’t be blamed.

Awareness, collaboration and training remain pillars in the fight against shadow IT

Resolving the issue of shadow IT involves providing security awareness training to users to help them understand the risks and vulnerabilities of any technology used to interact with enterprise systems.

If users communicate with IT on what applications or systems they wish to use, this can increase productivity and innovation. With collaboration, these new technologies can be used with minimal risk. The above approaches can be formalised to implement an information security management system (ISMS) such as the ISO 27001.

External penetration tests can be used to find vulnerabilities and to begin to train staff to implement the necessary new security measures. Security awareness training for business stakeholders can help them to understand the necessary enterprise data governance and data management requirements. The penalties of non-compliance should also be included in this training.

Five considerations when setting up a shadow IT mitigation strategy
  1. Dev Ops & Agile set-up: For organisations that develop code, the practice of DevOps or Agile and using solutions created in the cloud can be the best approach. These developers are in the best position to innovate. While they are free to develop their code, it must be thoroughly tested before being deployed to the production environment.
  2. Network access control management: Organisations should investigate every aspect of their network using a networking access control (NAC) solution in the form of an asset discovery, tracking and management programme. A networking access control is a device which seeks to keep unauthorised devices or users out of a private network. This will be particularly important for any project making use of Internet of Things (IoT) devices (devices which traditionally were not connected to the internet but now offer that capability e.g. thermostats, doorbells and cars).
  3. Early detection tools of shadow IT development: Organisations can use a zero-trust model to detect and prevent instances of shadow IT. Machine learning can be used to alert on out of the ordinary log-in attempts. A zero trust model requires all users whether they are located inside or outside of the corporate network to be authenticated, authorised and to have their security configuration (of the device they are connecting from) continuously monitored before they are granted access to use applications or data.
  4. IT Governance and strategy: Work with your IT team to define a roadmap to manage the shadow IT. But IT must be responsive and agile to users’ needs and work with them as a preventative strategy to shadow IT. Make certain the business units can connect with the right contacts in IT. Shadow IT should be welcomed as an alternative way of doing things but appropriate training should be provided with tools to help users make informed choices. Policies to address shadow IT should be simple and well communicated.
  5. Cloud Access Security Broker: Finally, for cloud solutions, the use of a Cloud Access Security Broker (CASB) can monitor user activity and extend security controls to cloud applications while also providing insight into the size of cloud based shadow IT. A Cloud Access Security Broker is a piece of software or hardware that acts as an intermediary between users and the cloud service providers and can extend the reach of corporate security policies to those cloud services.
Conclusion

Shadow IT happens because organisational processes don’t keep up with the pace of change, or it’s too onerous to seek approval for new software or hardware.

The mitigation considerations above will in time remediate shadow IT installations and practices. With the right approach, shadow IT can be turned into an advantage to keep your organisation innovating at pace while minimising risk.

Whether you know how you want to address the risks of shadow IT or would like to know how to get started with a roadmap customised to your business, contact us today.

Authors:

Porus Chadha – Manager, Cyber Security Porus.Chadha@ie.ey.com

James Collins – Senior Consultant, Cyber Security James.Collins@ie.ey.com




More Topics