When employees, contractors or third parties use unauthorised software or hardware for any reason, it can have consequences for your business. This practice, called shadow IT, can increase innovation and agility, but it can also expose the organisation to significant risks.
Today, users can get any kind of cloud technology they wish with an internet connection and a credit card. These “solutions” might help to achieve a short-term goal, but they haven’t been signed off, and aren’t compliant with written policies. Your corporate IT security can’t protect what it can’t see and isn’t aware of.
Shadow IT can be a significant risk. For example, an employee uses a cloud-based operating system for testing. That system is not online when your vulnerability scanner checks your network. The vulnerabilities this causes are unresolved, and unknown to the IT Security team.
More complex examples would be multiple cloud instances being used to run operating systems for development or testing which have the potential to process confidential data. Databases are another example, with Microsoft Azure SQL and Amazon Relational Database Service being popular cloud-based choices which could easily become shadow IT within any size of organisation. Remediating shadow IT now is the best course of action since, as we will discuss below, it can quickly escalate and the implications for your business increase.
The increase in shadow IT has been driven by a desire to avoid the complexity of organisational approvals for spending, the need for greater efficiency and to facilitate innovation faster.
Today’s technologically-savvy staff and are less likely to want to wait for the IT team to evaluate and approve a technology or system. They are driving towards adopting agile ways of working and improving efficiency but are unaware of the risks being introduced. Shadow IT is often found in organisations with a lot of operational technologies such as clinics, hospitals, transport operators and manufacturing companies.
Teams such as developers, application and IT support staff primarily make use of shadow IT. Shadow IT traditionally meant a desktop system or a server being used under someone’s desk. Today, the availability of cloud services means that the scale of the issue can become huge while remaining potentially invisible to an organisation.
A Forbes Insight survey in early 2019 found that one in five organisations have experienced a cyber breach due to shadow IT. IT and security teams are struggling to maintain inventories[i] of authorised and unauthorised devices. They can’t accurately estimate the number of assets in use, especially in the case of cloud services. But it’s not just hardware. Unauthorised software purchased by individuals or business units and the use of cloud services without approval is making the situation worse and increasing the risks.
As 5G devices become more common, Gartner has predicted the number of devices in an organisation could triple. Gartner surveys have shown that between 30% and 40% of IT spending in enterprises can go to shadow IT. This can hamper digital transformation since data can be permanently at rest, trapped in silos or mislabelled. This can lead to your own staff misusing and disclosing data. If third parties have access to enterprise data via a connection to your network, the potential for a data breach also exists.
Gartner previously predicted that by 2020, one third of all cyber-attacks will be from an organisation’s shadow IT. Separately, a study by EMC estimated the global data loss due to shadow IT was approximately $1.7 trillion per year. Part of this large cost can be attributed to cloud data breaches (an organisation may not be aware it has cloud data storage and duplicated licenses). Risks of this magnitude and potential cost cannot be ignored.
To address the issue, businesses need to perform better than shadow IT. For example, if shadow IT was implemented to take advantage of a time-limited opportunity, consideration should be given to the fact that if it is removed, the organisation could lose revenue. The solution and the business will need to perform better than the shadow IT solution because removing it may hurt the business financially. Whoever originally implemented the shadow IT shouldn’t be blamed.
Resolving the issue of shadow IT involves providing security awareness training to users to help them understand the risks and vulnerabilities of any technology used to interact with enterprise systems.
If users communicate with IT on what applications or systems they wish to use, this can increase productivity and innovation. With collaboration, these new technologies can be used with minimal risk. The above approaches can be formalised to implement an information security management system (ISMS) such as the ISO 27001.
External penetration tests can be used to find vulnerabilities and to begin to train staff to implement the necessary new security measures. Security awareness training for business stakeholders can help them to understand the necessary enterprise data governance and data management requirements. The penalties of non-compliance should also be included in this training.
Shadow IT happens because organisational processes don’t keep up with the pace of change, or it’s too onerous to seek approval for new software or hardware.
The mitigation considerations above will in time remediate shadow IT installations and practices. With the right approach, shadow IT can be turned into an advantage to keep your organisation innovating at pace while minimising risk.
Whether you know how you want to address the risks of shadow IT or would like to know how to get started with a roadmap customised to your business, contact us today.
Porus Chadha – Manager, Cyber Security Porus.Chadha@ie.ey.com
James Collins – Senior Consultant, Cyber Security James.Collins@ie.ey.com