Tranxfer article on Shadow IT in Byte Magazine

Shadow IT: the nightmare of companies

We live with it, but ignorance of the term means that we do not know exactly what we mean when we hear it. Although, Shadow IT is the order of the day, and it is a problem that all companies in the world face and that can pose a more important threat than it appears to be.

But what is it exactly? How does this situation occur? What does it mean for organizations? Next, we shed light on all these questions.

The term Shadow IT refers to any technological element (hardware, software, cloud...) that is used by a user without the authorization and knowledge of the IT manager of your organization. That is, when a worker makes decisions on their own without agreeing with their superior, and decides, for example, to use a cloud-based service without previously discussing it with the company.

Data breaches and leaks

As usual, each company provides its equipment and programs to its employees, but many of them also download and install other programs that are not supervised by the IT department. Approximately 82% of companies are unaware of all the applications used by their workers on a daily basis.

It is a more recurrent practice than we currently believe. According to IBM Security, "One in three employees share and upload corporate data to third-party cloud applications," as well as "one in four connect to cloud solutions using their corporate username and password."

The term Shadow IT refers to any technological element (hardware, software, cloud...) that is used by a user without authorization

With telecommuting, users have made use of their own devices such as smartphones or personal laptops for work matters, where they have indirectly shared corporate documents through applications of cloud storage, non-permitted networks, uncontrolled computers or third-party applications such as Saas. It should be noted that only 7% of these free Internet applications meet minimum security standards, so the people who use them unknowingly expose the organization.

Why it occurs and how it can be managed

Mainly this type of situation occurs for a reason of need of the user to solve a specific situation. For example, when the employee has to send several large files that cannot be attached to an email due to their volume, or when they can perform a specific function because their equipment does not allow it.

All this a priori can represent a series of advantages such as immediacy, autonomy and efficiency when working, we can even believe that it translates into savings for our company. Nothing could be further from the truth. The truth is that Shadow IT leaves the door open to lack of control, data leakage, theft of confidential information and endless vulnerabilities that translate into a nightmare of costs, inefficiencies and even the complete stoppage of business activity.

How the CISO can combat Shadow IT in the company: Tips and recommendations

The best way to combat the threats and risks of Shadow IT is through the application of guidelines, good practices, policies and initiatives managed by the IT team, and increasingly through the figure of the CISO (Responsible for Security), which are proportional to the technical and budgetary possibilities of the company and to the needs of the business. Some keys to regain control in the different action vectors are:

1) Analyze the processes and the way of working: this task is more typical of the departments of a company than of the IT manager. It consists of periodically reviewing how each department works and the needs in their work processes. This analysis will allow us to check if the existing technological tools are sufficient or if new elements need to be incorporated into their way of working. This is where we can identify if these necessary new technological elements comply with the necessary security measures and have them identified and under control.

2) Inventory and monitor: It is important to maintain a catalog of hardware, software and cloud applications and, in turn, to have network monitoring, analysis and checking methods that allow us to verify that the configurations of our technological elements have not undergone changes. For example, MDM (mobile device management) allow us to manage the hardware and software park of an organization remotely, controlling the applications used and installable at all times. Firewalls and IDS will allow us to monitor the traffic of our network.

3) Identify and act: At the moment we detect a threat, we must analyze and assess the advantages it entails, the drawbacks and the impact on the business. The adoption of the new element can suppose the solution and an improvement, but it is necessary to weigh the possibility that there is a safer and optimal alternative to perform the same function.

4) Raise awareness: An important initiative consists of training employees and educating them on security issues so that they are aware that their actions can entail great risks for the company. Workers must be aware of how dangerous actions carried out in the shadows without informing our IT manager can be.

Although, the most important key to manage this type of situation and put an end to it, is to have tools that allow companies to eliminate Shadow IT. In short, it is essential to have solutions that allow managing the input and output conduit for communication of employee files, in a secure, monitored, audited and efficient manner.

Follow this link to see the article in the magazine