Published by Cybersecurity Practice
October 24, 2023
As organisations grow and expand their operations, it’s inevitable that IT needs will similarly increase. But while business is picking up pace and attentions focus on expansion, it’s all too easy to overlook certain fundamental elements of user workflow and accessibility, giving rise to a phenomenon known as ‘shadow IT’ – assets used for business purposes that are unknown to or unmanaged by the IT team.
Shadow IT has traditionally been thought of in terms of physical devices that are still used for legitimate purposes, but that have dropped off or been missed by asset management practices, and so are not subject to policy enforcements that aim to protect against loss of sensitive data or malware infection. In the modern age, however, it’s just as likely that an organisation’s shadow IT assets extend into the cloud. Users who store sensitive organisational data in their own personal cloud accounts, even if no harm is intended, are in effect creating pockets of shadow IT outside the organisation’s control. The greater the amount of shadow IT within an organisation, the more difficult any kind of risk assessment or effective policy enforcement becomes, because the organisation simply doesn’t have complete knowledge of the assets that require protection. This is not an uncommon issue – in fact Gartner’s 2023 ‘Critical Capabilities for Security Service Edge’ report indicates that total cloud usage could be up to ten times higher than many organisations realise.
Unsurprisingly, the most effective way to mitigate shadow IT is by tackling the root cause and prevent its creation in the first place. Generally, organisations will see much greater success tackling the underlying issues, rather than attempting to crack down on shadow IT creation through increasingly restrictive policies or punitive measures directed at the users. After all, it’s rarely the case that shadow IT proliferates out of deliberate ill intent – instead, it usually comes from users struggling to do their jobs within the confines of the organisation’s existing policies and tools. If an organisation’s systems are a struggle to use, either delaying or degrading the end result, then employees will naturally feel tempted to circumvent them in order to make their lives easier and their work more effective.
To avoid this pitfall, a good first step is to ensure that staff within the organisation feel comfortable raising issues in their workflow, and in calling out any limitations that require them to go outside of sanctioned tools and services. Examples might include having insufficient storage space (locally, or on the organisation’s cloud services), restrictive measures around sharing data with third parties, not having an officially designated messaging or video conferencing tool, or even approved tools or services simply not providing required functionality. It may not be possible to instantly remedy all of these problems, but building a culture without blame will encourage users to highlight issues, and thereby help you to maintain a clear picture of the problem areas where shadow IT may arise.
As well as looking for specific problem areas within the organisation, a broad review of how users are expected to work, followed by measures being put in place to reduce friction and frustration, will decrease the production of shadow IT. Restrictive lockdowns on organisational IT should be avoided wherever possible – stopping users from collaborating with external individuals using cloud storage, or not having sanctioned messaging services, may seem like security-minded policies, but if the end result has users circumventing the restrictions, then they’re likely doing more harm than good. If employees require access to services outside of what is normally available, there should be a process already in place to grant this in a fast, but controlled, manner. Similarly, if unsanctioned services are frequently required, or solve an existing issue in user workflow, processes should exist to bring them under organisational control.
Physical, unmanaged devices are a somewhat simpler proposition, but often arise from the same environment – attempting to solve a problem that the organisation has left unaddressed. These can include IoT or smart devices that have been introduced without proper vetting or approval, personal devices that employees have connected to critical organisational networks, or equipment that provides vital functionality that has been misconfigured. Any device that is introduced without being configured by the organisation will likely not meet required security standards, and thereby pose a threat to the network and organisational resources. Working with deep visibility tools, network administrators can create a real-time inventory of all devices connected to the network, allowing for the identification and quarantining of these unmanaged devices, but again the underlying issues must be addressed if reoccurrence is to be avoided.
The advent of home working has introduced a whole new set of complexities to the shadow IT conundrum. Without the right tools and oversight, administrators can be left without any visibility into the services and applications remote workers are accessing. Ideally, organisations should already have strong BYOD (Bring Your Own Device) policies in place, which not only regulate the use of personal devices, but also ensure that corporate data and resources on these devices remain secure. Of course, it’s also essential to educate remote workers about the risks of using unsanctioned tools and the importance of adhering to company policies. The provision of organisational hardware to users, meanwhile, means that pre-installed solutions can be used to grant comparable visibility, even when users are not directly connected to the organisation’s networks.
If you need help bringing together a complete picture of your organisation’s assets, and guidance on how to bring your shadow IT under control, we would love to talk further. You can get in touch at email@example.com to discuss your current situation, and how ITGL can help you achieve deep visibility into your organisation’s assets and services.