What Is Shadow IT? What A Business Doesn’t Know Can Hurt It

March 10, 2020 at 9:15 AM / by Juan Fernandez - VP of Managed IT Services

In a world relying more heavily than ever on digital technology, keeping track of everything that happens in an office is getting trickier. New devices, services, and solutions are introduced daily that enable employees to work efficiently. However, the boom of digital tools in the office has given rise to a new phenomenon: shadow IT. Any office that empowers its employees with digital technology has it.

Many companies are gaining awareness of this prevalent security risk, but what is this seemingly ominous issue? In a nutshell: it’s an opportunity. Learn what shadow IT is, the risks it poses to a business’s security strategy, and how to address it in a way that makes employees happy, productive, and safe.

Illuminating a Common Office Problem: Shadow IT

According to Cisco, shadow IT is the use of IT-related hardware or software (a.k.a. digital tools) without the knowledge or permission from the IT department. That may include existing technology being used by individuals who don’t officially have permission to use it or the introduction of new technology that the company security policy doesn’t cover.

Any company that relies on digital technology to operate most likely has shadow IT. Some examples include:

  • Dan signs up for a cloud service online using his work email to transfer documents safely to clients.
  • Charlotte buys her own desktop printer to use in her office, so she doesn’t have to go down the hall to the print room.
  • Michael creates a subdomain of the company’s site with a landing page for his marketing campaign. The project folds, but the subdomain is never deleted.
  • Lisa downloads an app on a company phone to quickly and efficiently track her leads.

Shadow IT Indicates Unmet Employee Needs

Shadow IT is seldom malicious. Instead, it’s usually the result of employees looking for quick solutions to help them do their jobs.

When shadow IT appears, it indicates that the current technological infrastructure is insufficient, or the process to acquire the right tools for work is unclear or too complicated. Employees need tools, but either those tools aren’t being offered or the correct way to get them hasn’t been communicated

In many ways, shadow IT is a sign of a motivated, empowered workforce. It’s also an opportunity to understand employee tasks from the employee’s perspective by analyzing what they’re choosing to use and why.

How Shadow IT Is a Security Risk

Although it represents an opportunity to better understand employees, shadow IT is a potentially severe cybersecurity threat for a company. The risks of shadow IT include:

  • Shadow assets may be insecure: Michael’s subdomain may have a security vulnerability that allows a hacker to access the rest of the site.
  • Data goes uncontrolled: Charlotte’s printer doesn’t have the print tracking software installed on it, so it’s impossible to see what she’s printing, when, and why.
  • Services may be non-compliant: Dan may have inadvertently chosen a cloud service that’s inappropriate for the type of data he’s transmitting or jeopardizes network compliance.
  • Hardware or software may not be clean: App stores are often rife with malware, and Lisa may have introduced a keylogger onto her company-issued phone.

These are potentially serious issues that aren’t always considered by the individuals deploying it. Their primary focus is to find a useful tool as quickly as possible. However, these instances can create otherwise avoidable security vulnerabilities that put a company and its data at risk.

How to Address Shadow IT and Mitigate Its Risks

Shadow IT is difficult to identify due to its out-of-sight nature and often impromptu creation. However, to ensure that a company is truly secure, shadow IT elements must be identified and brought under the purview of the IT department or eliminated. Here are a few tips:

1. Don’t Punish Employees – Survey Them Instead

It’s counterproductive to punish employees for using shadow IT, even if the company has a policy against unauthorized hardware or software. Understand that shadow IT is the result of employees trying to do their job. Therefore, take an inventory of any hardware, software, or other tools that they may be using.

2. Assess Each Tool, Then Integrate or Eliminate It

Often, the tools that employees are using independently are useful, effective options. If that’s the case, consider implementing the device across the organization so that other employees can also use it. In other cases, the device may be dangerous, outdated, or noncompliant. These options should be eliminated and replaced with a suitable equivalent.

3. Use a Whitelist and Provide Clear Procedures For Authorizing a Tool

Whitelisting is the use of only devices or applications that have been explicitly approved for use – everything else is banned. To prevent shadow IT from reappearing, use a whitelist model and improve the process employees must use to get a new tool authorized. A managed network services provider can help in this regard.

ImageNet Helps Companies Identify and Manage Shadow IT

Although shadow IT is rarely malicious, it represents a severe security risk for any business. Almost always, it represents the unmet technological needs of employees. Identifying and analyzing it can help companies create a more productive and secure environment for all.

ImageNet helps companies identify and manage their shadow IT. Get started now with a safer, more productive office environment.

Topics: Security , MIT

Written by Juan Fernandez - VP of Managed IT Services

Juan Fernandez is the VP of Managed IT Services for Imagenet Consulting. He has been in the IT industry for over 22 years. Over the last 22+ years, he has worked for several companies, such as San Juan College, Honeywell International, and Sandia Labs. With proficiencies on HIPAA and PCI, compliance he has focused on small business, government, education, healthcare, and financial industries. Juan believes in best of breed technologies education and certifications and was recently selected to assist in writing the CompTIA A+ and Security + tests and was also invited to participate in validating the CASP (CompTIA Advanced Security Practitioner). Juan was also selected to join the CompTIA Subject Matter Expert Technical Advisory board. He is dedicated to improving service delivery through embracing effective and efficient use of technology, creating effective business models for delivering new IT-based services such as SaaS, DRaaS, and HaaS. Juan is active in technology collaborations related to strategy, computer infrastructure, and cybersecurity. He has served as a leader to many organizations and is an experienced presenter at technology seminars and conferences. Juan holds a BS degree in computer science from Western Governors University, Microsoft Certified Systems Engineer, Cisco Certified Network Administrator and Network +, Security +, A+ Certified, Certified Internet web professional.

Subscribe to Our Blog