What Is Shadow IT? What A Business Doesn’t Know Can Hurt It

March 10, 2020 at 9:15 AM / by Juan Fernandez - VP of Managed IT Services

In a world relying more heavily than ever on digital technology, keeping track of everything that happens in an office is getting trickier. New devices, services, and solutions are introduced daily that enable employees to work efficiently. However, the boom of digital tools in the office has given rise to a new phenomenon: shadow IT. Any office that empowers its employees with digital technology has it.

Many companies are gaining awareness of this prevalent security risk, but what is this seemingly ominous issue? In a nutshell: it’s an opportunity. Learn what shadow IT is, the risks it poses to a business’s security strategy, and how to address it in a way that makes employees happy, productive, and safe.

Illuminating a Common Office Problem: Shadow IT

According to Cisco, shadow IT is the use of IT-related hardware or software (a.k.a. digital tools) without the knowledge or permission from the IT department. That may include existing technology being used by individuals who don’t officially have permission to use it or the introduction of new technology that the company security policy doesn’t cover.

Any company that relies on digital technology to operate most likely has shadow IT. Some examples include:

  • Dan signs up for a cloud service online using his work email to transfer documents safely to clients.
  • Charlotte buys her own desktop printer to use in her office, so she doesn’t have to go down the hall to the print room.
  • Michael creates a subdomain of the company’s site with a landing page for his marketing campaign. The project folds, but the subdomain is never deleted.
  • Lisa downloads an app on a company phone to quickly and efficiently track her leads.

Shadow IT Indicates Unmet Employee Needs

Shadow IT is seldom malicious. Instead, it’s usually the result of employees looking for quick solutions to help them do their jobs.

When shadow IT appears, it indicates that the current technological infrastructure is insufficient, or the process to acquire the right tools for work is unclear or too complicated. Employees need tools, but either those tools aren’t being offered or the correct way to get them hasn’t been communicated

In many ways, shadow IT is a sign of a motivated, empowered workforce. It’s also an opportunity to understand employee tasks from the employee’s perspective by analyzing what they’re choosing to use and why.

How Shadow IT Is a Security Risk

Although it represents an opportunity to better understand employees, shadow IT is a potentially severe cybersecurity threat for a company. The risks of shadow IT include:

  • Shadow assets may be insecure: Michael’s subdomain may have a security vulnerability that allows a hacker to access the rest of the site.
  • Data goes uncontrolled: Charlotte’s printer doesn’t have the print tracking software installed on it, so it’s impossible to see what she’s printing, when, and why.
  • Services may be non-compliant: Dan may have inadvertently chosen a cloud service that’s inappropriate for the type of data he’s transmitting or jeopardizes network compliance.
  • Hardware or software may not be clean: App stores are often rife with malware, and Lisa may have introduced a keylogger onto her company-issued phone.

These are potentially serious issues that aren’t always considered by the individuals deploying it. Their primary focus is to find a useful tool as quickly as possible. However, these instances can create otherwise avoidable security vulnerabilities that put a company and its data at risk.

How to Address Shadow IT and Mitigate Its Risks

Shadow IT is difficult to identify due to its out-of-sight nature and often impromptu creation. However, to ensure that a company is truly secure, shadow IT elements must be identified and brought under the purview of the IT department or eliminated. Here are a few tips:

1. Don’t Punish Employees – Survey Them Instead

It’s counterproductive to punish employees for using shadow IT, even if the company has a policy against unauthorized hardware or software. Understand that shadow IT is the result of employees trying to do their job. Therefore, take an inventory of any hardware, software, or other tools that they may be using.

2. Assess Each Tool, Then Integrate or Eliminate It

Often, the tools that employees are using independently are useful, effective options. If that’s the case, consider implementing the device across the organization so that other employees can also use it. In other cases, the device may be dangerous, outdated, or noncompliant. These options should be eliminated and replaced with a suitable equivalent.

3. Use a Whitelist and Provide Clear Procedures For Authorizing a Tool

Whitelisting is the use of only devices or applications that have been explicitly approved for use – everything else is banned. To prevent shadow IT from reappearing, use a whitelist model and improve the process employees must use to get a new tool authorized. A managed network services provider can help in this regard.

ImageNet Helps Companies Identify and Manage Shadow IT

Although shadow IT is rarely malicious, it represents a severe security risk for any business. Almost always, it represents the unmet technological needs of employees. Identifying and analyzing it can help companies create a more productive and secure environment for all.

ImageNet helps companies identify and manage their shadow IT. Get started now with a safer, more productive office environment.

Topics: Security , MIT

Written by Juan Fernandez - VP of Managed IT Services

Juan Fernandez’s 26-year career in the IT industry is a testament to his investment in improving business outcomes with technology and developing the IT industry. His entire career is dedicated to improving service delivery by embracing effective and efficient use of technology through a vision of technology, security, and compliance for small business, government, education, healthcare, and financial industries. Mr. Fernandez has created effective business models for delivering IT-based services such as DaaS, SaaS, DRaaS, HaaS, XaaS, and promoting online development opportunities to increase individual self-service capabilities and leading strategic initiatives to effectively transform technology to be simple, flexible, adaptable, and responsive to the customer needs. He has focused his career on educating customers and companies on his Making “IT” Simple approach. Mr. Fernandez was recognized at HP’s Global Partner Event in 2019 as HP DaaS Innovator of the Year, alongside ImageNet’s HP Partner of the Year award for 2019. Juan and the ImageNet team won Continuum’s 2019 “Growth Partner of the Year” and “Hyper Growth Partner” for 201% growth in 12 months. Mr. Fernandez is part of the select group who writes the CompTIA A+, Network +, Security + Tests, and sits on the CompTIA Subject Matter Expert Technical Advisory board and the CompTIA Channel Advisor board. He was elected Vice-Chair in 2020. He was the winner of the 2018 Continuum MSP Shark Tank for best security and services presentation, which set the stage for an all-inclusive Security and Device-as-a-Service model, establishing the framework for channel and MSP models. Juan sits on the Forbes Magazine Technology Council, Konica Minolta Global IT Services Council, Unitrends Partner Advisory board, HP DaaS Advisory Committee for Device-as-a-Service, WatchGuard Advisory Board, serves as a Channel Futures MSP Mentor and works with many other channel companies to develop the future of technology and XaaS models.

Linkedin

Subscribe to Our Blog