How to protect your business against shadow IT

It was recently revealed through a freedom of information request, that more than half of all NHS trusts do not have the necessary processes in place to provide staff with training on using their designated video conference systems. The complexity of the systems could lead staff to ignore the approved applications and instead rely on ‘shadow IT’ services. The use of these shadow IT services is problematic because it puts Trusts at risk of security breaches.

Photo by Christina Morillo from Pexels

Shadow IT is becoming one of the major cybersecurity risks for businesses and organisations around the world. It is something that can affect any business with employees using unauthorised tools and software, but many companies do not yet have a policy to deal with it. In this article we take a look at some of the things you can do to protect your business against shadow IT. To start, we need to understand exactly what is meant by the term:

What is shadow IT?

Shadow IT is a term that refers to any type of technology – such as an application, software, or device – that is used within a business or organisation without approval from the IT department. It could include devices used in the office or working remotely, software and apps installed on those devices, or even cloud services.  

Some of the most common forms of shadow IT are those technologies that are used without even really thinking about them. Productivity and messaging apps such as Slack and Trello, or even widely used hardware like flash USB drives and external memory, make up a large number of shadow IT examples creeping into businesses. 

Cisco even suggests that cloud services are becoming one of the most prevalent forms of shadow IT, and something that companies need to take seriously. 

Why is it a growing threat?

Research shows that shadow IT represents up to 50% or more of technology spend in organisations. This number is growing, and that is due to a number of factors. One of the most important is the rise in bring-your-own-device (BYOD), where employees use their own hardware at work rather than those provided by the company, and therefore approved by the IT team.

Additionally, the growth of popularity in remote working means that employees are using devices at home without getting them approved first. The same is true of non-approved software being installed on company machines.

Yes, virtually every business relies on a wide range of digital tools – from the hardware utilised for the day-to-day running of the company to the HR department’s management system, and the software used by the marketing team. But every single non-approved tool, app, software or device used by a business can be a potential vulnerability. 

The security consequences of shadow IT

Software and hardware that are not known to the IT department present a risk to the organisation. These can have vulnerabilities that can be exploited by criminals using malware and other attack vectors. If the IT team doesn’t know about the use of an application, they can’t patch and update it to mitigate the risk of vulnerabilities being exploited. It can also lead to data breaches with employees sharing personal and business data. 

The important thing to remember is that not all apps are created – or maintained – equally. Some will have lax cybersecurity measures and potentially be vulnerable. When staff use these apps and software, they are putting the business at risk, as criminals can exploit the vulnerabilities.

There are also many other dangers associated with shadow IT, including issues with many applications being installed with overlapping functionalities making things difficult for the IT team and an increase of obsolete systems and forgotten data. 

How your business can mitigate the risks

While shadow IT can present a serious cybersecurity problem for organisations, there are various different ways that your business can mitigate the risk.

  • Put a written policy in place – it is important to have a written policy on the issue of shadow IT that is communicated to the whole organisation. This is important for helping members of staff understand the risks associated with the practice of using non-approved software, hardware, and cloud services.
  • Have an approvals policy – software can actually be a competitive advantage for a business over its competitors, so it is important that the use of new applications is not specifically discouraged. It is important that staff feel that they can take new technologies to the IT team to be approved; so, companies should ensure that their staff know the process and that IT teams are in a position to quickly give decisions and enact on requests.
  • Manage user privileges – it is simple to take away the permission of users in an IT system to install new software. If employees find they can’t install the software themselves, they will go to the IT team instead. It is important this is carefully managed, as this action can lead to more members of staff using shadow IT if they feel they need to go through a complicated process to get the applications and software approved.
  • Invest in endpoint protection and monitoring – the reason that shadow IT is such a danger to businesses is that endpoints are commonly targeted by cybercriminals. It is important, then, to put powerful endpoint protection and monitoring technologies in place so that any suspicious activity can be identified and tackled rapidly.
  • Utilise CASB – a cloud access security broker (CASB) is software that monitors activity between users and the cloud. With the ever-increasing use of cloud-based networks, this can be vital in dealing with cloud-based shadow IT. 

Final thoughts

As the use of shadow IT becomes more prominent, the onus is on businesses to be doing everything they can to minimise the risks it can pose. If your business can put in place strong processes now, it can help the limit the problems of shadow IT for the future.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top