in Resources

Shadow IT: What Is It and How to Mitigate the Associated Risks?

default image

Hey there! Shadow IT is a hot topic for many IT teams today. As an IT professional with over 15 years of experience, I‘ve seen firsthand how unauthorized tools and apps can expose organizations to cyber risks. But I‘ve also learned that taking a flexible and collaborative approach is key to empowering business innovation securely.

In this comprehensive guide, we‘ll dig deep into all aspects of shadow IT, including:

  • How employees end up using unsanctioned apps
  • Tangible risks that can result
  • Tactics to detect shadow IT across your environment
  • Practical mitigation strategies to implement
  • Fostering innovation through sanctioned solutions

Let‘s get started!

Defining Shadow IT

Shadow IT refers to any hardware, software, app, tool or service used at an organization without formal approval from IT. It is "shadow" because it flies under the radar of IT‘s visibility.

According to research by Deloitte, shadow IT makes up 30-40% of IT spending at large enterprises. It is often acquired by business units directly through SaaS apps, downloads, third-party vendors or built internally.

Common examples I‘ve seen include:

  • Collaboration: Slack, Dropbox, Google Drive
  • Marketing: MailChimp, Hootsuite
  • CRM: Salesforce, Zoho
  • Productivity: Evernote, Trello
  • Chat: WhatsApp, Facebook Messenger
  • Cloud storage: Box, OneDrive

The business reasons for adopting shadow IT vary:

Workaround Inefficient IT Systems

Lengthy procurement processes, legacy enterprise tools or internal bureaucracy pushes employees to implement their own solutions.

Improve Productivity

Consumer-grade apps offer better experiences than sanctioned tools. Adoption is driven by productivity gains.

Lack of Visibility into Options

Business units are unaware of IT-provided tools, so look externally to fill capability gaps.

Bring Your Own App Culture

Some organizations implicitly allow shadow IT by permitting BYOA or cloud usage without governance.

Provide Critical Capabilities

In some cases, shadow IT solutions provide functionality that approved systems distinctly lack.

Collaboration Across Company Boundaries

External partners or remote employees leverage unsanctioned apps to connect and collaborate.

The takeaway is that shadow IT isn‘t always a malicious attempt to circumvent IT. In many cases, it stems from employees creatively solving real problems. But despite any benefits, substantial risks still exist.

Potential Risks and Implications

Based on my professional experience, here are some of the most significant potential risks organizations face from shadow IT activities:

Loss of Visibility and Control

When IT lacks insight into shadow usage, they cannot manage security, compliance or costs. It also becomes difficult to integrate tools properly or provide adequate support.

Increased Cybersecurity Vulnerabilities

Shadow apps bypass approval processes so vulnerabilities like weak authentication, improper encryption or lack of data backups often exist. This exponentially raises data breach risks.

Regulatory Non-Compliance

Unauthorized tools frequently do not meet industry compliance requirements for data privacy, retention and security. Resulting fines can reach millions of dollars.

Malware Infections

Without IT vetting, shadow IT heightens the odds of malware infiltration from tainted software leading to compromised systems and data.

Intellectual Property Loss

Once corporate data is uploaded to unsanctioned apps, control is lost. This could enable IP theft through compromised shadow services.

Business Disruption

If shadow systems experience outages or integration issues, workforce productivity can grind to a halt. Lack of IT support further prolongs disruptions.

Shadow IT Sprawl

Initial shadow adoption encourages further unsanctioned tool usage. Soon requirements balloon across unmanaged platforms creating massive complexity for IT.

Overwhelmed Help Desk Resources

Troubleshooting shadow apps consumes extra IT help desk time and overwhelms staff who lack expertise on unauthorized technologies.

The potential downsides are significant. But the question is, how can IT teams detect where shadow IT resides?

Uncovering Shadow IT in Your Environment

Exposing shadow IT across the enterprise requires employing multiple identification techniques:

Network Traffic Analysis

Analyzing network activity using a traffic analyzer or protocol analyzer can uncover unsanctioned external connections. Unusual traffic volumes to commercial cloud services often indicate shadow IT.

Cloud Access Security Brokers

CASB solutions provide visibility into sanctioned and unsanctioned cloud usage across an organization by monitoring network traffic, APIs and endpoints.

User Surveys

Conducting periodic surveys of employees can reveal which systems they use for specific tasks. Any unknown tools require further scrutiny.

Data Loss Prevention

DLP systems detect risky data uploads to unauthorized platforms like unapproved cloud storage services.

SaaS Management Platforms

Consolidated dashboards catalogue approved SaaS apps while also tracking unsanctioned services accessed.

Endpoint Monitoring

Monitoring software on devices can report unrecognized or prohibited applications installed that may present risks.

IT Asset Management

Tools like SCCM can scan environments and build inventories of hardware and software discovered across endpoints and servers.

Access Logs Analysis

Reviewing access logs from firewalls, proxies and cloud access gateways reveals connections to shadow systems.

Expense Report Audits

Analyze expense reports, procurement logs and invoices for suspicious payments indicative of shadow IT procurement.

Combining techniques provides the most complete coverage. I recommend developing a standard discovery process that IT and security teams perform quarterly.

Now that we have covered detection strategies, what about risk mitigation best practices?

Mitigating Security Risks from Shadow IT

Based on my experience, here are the most impactful steps organizations can take to reduce shadow IT risks:

Establish a Shadow IT Governance Framework

Document clear policies and procedures covering procurement, acceptable use, data security and IT support. Educate staff on the policies.

Increase IT Purchasing Agility

Streamline and automate IT procurement processes so employees can rapidly access approved technologies that meet business needs.

Improve Help Desk Response Times

Ensure adequate help desk resourcing and training to quickly resolve employee technology issues to discourage circumventing IT.

Implement DLP Safeguards

Data loss prevention controls restrict unauthorized data exfiltration and automatically block uploads to unsanctioned cloud apps.

Increase Cybersecurity Monitoring

Heighten monitoring, alerting and analysis on network traffic, access logs and user activity to rapidly expose shadow IT usage.

Conduct Security Posture Assessments

Run quarterly assessments checking for policy violations, determining the cyber risk levels of identified shadow services.

Increase Sanctioned SaaS Options

Evaluate and approve more enterprise-ready SaaS apps that deliver flexibility while meeting security standards.

Educate Business Leadership on Risks

Ensure executives and managers understand the cybersecurity, compliance and operational risks posed by shadow IT.

Implement Data Classification and Protection

Classify sensitive data and implement contextual access controls and usage monitoring to maintain control even if exposed externally.

Block High-Risk Applications

Leverage secure web gateways and network firewalls to prohibit access to unapproved apps that present significant security vulnerabilities.

A balanced approach combining technology controls and process changes offers optimal risk reduction without stifling innovation. But this leads to a key question…

Empowering Innovation While Securing Shadow IT

Based on my experience, the most effective strategy is enabling business-friendly IT rather than combating shadow IT completely:

Cultivate an Open IT Culture

Foster open communication between IT and business teams. Be transparent about issues shadow IT creates, but also be open to new ideas and opportunities to collaborate.

Promote Sanctioned Self-Service Options

Provide approved self-service technologies like low-code/no-code platforms, integration tools, app builders and data preparation tools that enable business-managed innovation under IT oversight.

Simplify Technology Request Processes

Implement streamlined IT ticketing systems, procurement workflows with service catalogs and automated approval routing to accelerate access to authorized technologies.

Pursue Co-Management Models

For approved SaaS apps, implement integrated IT-business application management through platforms like ServiceNow Service Automation.

Right-Size IT Controls

Tailor security controls like DLP, encryption and multi-factor authentication based on data sensitivity levels to balance protection and productivity.

Offer Optional "Buy IT" Services

Provide services to procure, secure and support new technologies identified by business units that hold promise based on IT reviews.

Incorporate Business Needs into Planning

Solicit business unit input when evaluating new IT investments. Ensure selected tools align with business objectives and address gaps.

The goal should be securely enabling innovation – not blocking it.

The Path Forward on Shadow IT

Eliminating shadow IT entirely in today‘s technology landscape is unrealistic for most enterprises. Employees will continue adopting solutions that improve productivity and collaboration.

The most effective approach is increased transparency coupled with pragmatic IT governance and security controls. Through technologies like CASB, DLP and improved analytics, organizations can gain visibility into shadow usage and risks.

With this insight, IT leaders can implement balanced controls like simplified procurement processes, education programs, and innovative self-service options. By becoming trusted advisors and partners to the business, IT can guide secure adoption of new solutions.

With the right strategies, IT can provide oversight and cyber protection while empowering business-driven innovation through both sanctioned and managed shadow IT pathways. The future lies in this partnership and openness to change.

I hope you found this guide useful! Let me know if you have any other questions as you tackle the shadow IT challenge. We can do this!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.