We live with it, but our ignorance about the meaning implies that we do not know exactly what it refers to when we hear the term. Nevertheless, Shadow IT is a hot topic, and it is a problem that all companies in the world face and it can become a more important threat than it appears to be.
But what is it exactly? How does this situation happen? What does it mean for organizations? Next, we shed light on all these questions.
Data breaches and leaks
The term Shadow IT refers to any technological element (hardware, software, cloud…) that is used by a company user without the authorization and knowledge of the IT manager of your organization. That is, when an employee makes decisions on their own without agreeing on these with the manager, and decides, for example, to use a cloud-based service without previously discussing it with the company.
As usual, each company provides its equipment and software to its employees, but many of them also download and install other programs that are not supervised by the IT department. Approximately 82% of companies are unaware of all the applications used by their employees on a daily basis.
It is a more recurrent practice than we currently believe. According to IBM Security, “1 in 3 employees share and upload corporate data to third-party cloud applications,” as well as “1 in 4 connect to cloud solutions using their username and corporate password.”
With teleworking, users have made use of their own devices such as smartphones or personal laptops for work matters, where they have indirectly shared corporate documents through cloud storage applications, unallowed networks, uncontrolled computers or third-party SaaS type applications. It should be noticed that only 7% of these free internet applications meet minimum security standards, so the people who use them unknowingly expose the organization.
Why it occurs and how it can be managed
Mainly this type of situation happens for a reason of need of the user to solve a specific situation. For example, when the employee has to send several large files that cannot be attached to an email due to their volume, or when they cannot perform a specific function because their equipment does not allow it.
Finding a solution by themselves may represent a series of advantages such as immediacy, autonomy and efficiency when working, we can even believe that it translates into savings for our company. Nothing could be further away from the truth. The reality is that Shadow IT leaves the door open to lack of control, data leakage, theft of confidential information and endless vulnerabilities that translate into a nightmare of costs, inefficiencies and even the complete halt of business activity.
How the CISO can combat Shadow IT in the company: Tips and recommendations
The best way to fight the threats and risks of Shadow IT is through the implementation of guidelines, good practices, policies and initiatives managed by the IT team, and increasingly through the figure of the CISO (Chief Information Security Officer), all of these proportional to the technical and budgetary possibilities of the company and to the needs of the business.
Some keys to retake the control are:
- Analyze the processes and the way of working: this task is more typical of the business departments of a company than of the IT manager. It consists of periodically reviewing how each department works and the needs in their work processes. This analysis will allow us to check if the existing technological tools are enough or whether new elements need to be incorporated into their way of working. This is where we can identify if these necessary new technological elements fulfill the mandatory security measures and to have them identified and under control.
- Inventory and monitoring: it is important to maintain a catalog of hardware, software and cloud applications and also have methods of monitoring the network, analysis and checking, which allow us to verify that the configurations of our technological elements have not undergone changes. For example, MDM (mobile device management) allows us to manage the hardware and software base of an organization remotely, controlling the applications used and installed at all times. Firewalls and IDS will allow us to monitor the traffic of our network.
- Identify and act: when we detect a threat, we must analyze and assess the advantages it supposes, the drawbacks and the impact on the business. The adoption of the new element can suppose the solution and/or an improvement, but it is necessary to check the possibility that there is a safer and optimal alternative to perform the same function.
- Raise awareness: a relevant initiative is to train employees and educate them on security issues to make them aware that their actions can generate great risks for the company. Employees must be aware of how dangerous actions carried out in the shadows without informing our IT manager can be.
Although, the most important key to manage this type of situation and put an end to it, is to have tools that allow companies to eliminate Shadow IT.
In short, it is essential to have solutions that allow managing the input/output communication channel in a secure, monitored, audited and efficient way.