Shadow IT refers to the set of technology (IT) apps, tools, devices, and services used within a company without the approval of the IT department. Shadow IT resources are commonly used to facilitate communication, storage, or management of company information.
Shadow IT used to be simple tricks in past years, such as Excel macros to facilitate routine tasks. But with the advent of cloud services, innovative apps, and the rise of bring your own device (BYOD) policies, today shadow IT can accomplish a vast number of tasks— and bring an equally large number of risks to the enterprise. So organizations need to consider how shadow IT tools affect their overall infrastructure.
Employees typically use shadow IT tools to improve productivity or communication at work. Sometimes the tools are adopted without thinking of cybersecurity concerns and data security rules. Other times, employees are deliberately avoiding seemingly unnecessary regulations and bureaucracy.
There are some benefits of shadow IT solutions, such as easing the workload of IT departments or reducing deployment time of tools that can facilitate or optimize work. Still, the risks must be taken into account when developing a shadow IT policy.
Examples of Shadow IT
Shadow IT applications and devices have various purposes and capabilities and can be dispersed throughout an organization, making them difficult to identify within an IT infrastructure. Certain types of shadow IT, however, pose specific concerns, and IT teams should take this into account in the pursuit of minimizing security risks.
Physical Devices
Shadow IT physical devices are directly related to BYOD policies and the use of personal devices within the organization’s network. This kind of shadow IT includes the storage of company data on personal smartphones or removable drives.
This shadow IT solution can bring various data and cybersecurity risks if personal devices don’t follow the same security protocol as company devices maintained by the IT department. An infected personal device could initiate a sensitive data breach, or data loss could result from theft or misplacement of a personal device with company information.
Productivity Tools
One of the most-used shadow IT resources is productivity software. Tools such as Google Docs or other SaaS applications are examples that aren’t intrinsically harmful to the organization, but sometimes demonstrate a lack of sanctioned IT solutions or a lack of knowledge in their use.
Communication Apps
Unsanctioned messaging apps are another example of shadow IT solutions that are not necessarily harmful to the organization. Tools such as Skype, Whatsapp, Slack, and Zoom are common alternatives to the communication tools selected by the IT department.
Remember, however, that even if the platform is secure, there is still a risk of data leaks from accidental misuse.
Storage Services
Cloud storage services (like Google Drive, Microsoft OneDrive, or Dropbox) are another common shadow IT solution due to the convenience they present. The continuous access and file-sharing capabilities are appealing to users. That said, these solutions are also risky, especially for handling sensitive information under regulations such as GDPR or HIPAA.
Collaboration Tools
Tools like Asana, Trello, or ClickUp are helpful for managing projects and organizing work teams around compound tasks. If an IT department doesn’t support a tool for workgroup collaboration tools, it’s very likely employees will make use of unsanctioned software to do so.
The Risks of Using Shadow IT
Even though shadow IT solutions aren’t malicious by themselves, they can still threaten the IT security of a business. Therefore, data and cybersecurity risk management teams must consider the various risks associated with the use of shadow IT and the information security controls necessary to mitigate them.
Shadow IT solutions can bring security gaps since there is no evaluation process to assure the integrity and maintenance of these tools. IT teams don’t know whether vulnerabilities exist on the tools, and are unable to enforce automated updates and patches for those systems. As a result, the IT department loses visibility to internal cybersecurity threats.
Shadow IT resources also generate compliance and regulatory risks, since sensitive information could be mishandled with shadow IT applications. Moreover, compliance with standards such as ISO/IEC 20000 can be jeopardized via unknown and undocumented software. This situation can result in losing your certification or regulatory penalties and fines.
There are also operational risks in the use of shadow IT. It is wasteful to store and use data across several infrastructure sites. IT teams cannot plan for capacity, system design, security, and effectiveness across data in shadow IT apps if they are unaware of the data flows.
Mitigation Steps
To mitigate the risks of shadow IT resources, IT teams first need to know that the shadow assets exist. Software management tools can help identify the use of shadow IT solutions; it’s also essential to conduct IT security audits to assess the effectiveness of current systems and technology tools.
A fundamental part of any risk mitigation process is cybersecurity training and education. Periodic training that explains the risks related to third-party applications and other unsanctioned solutions can substantially reduce their use, and facilitate the identification of these resources within the organization.
Not all shadow IT technologies are equally risky. Some may be developed based on compliance standards similar to those applied by the company, so a continuous risk assessment of different solutions can minimize the resources invested in mitigating risks.
Meanwhile, the use of shadow IT solutions exposes an operational need: clearly your corporate IT isn’t enough for employees, because they’re using outside tools as well. Chief information officers (CIOs) should implement communication channels and lead the approval processes for new technologies to assure that the company provides the IT resources that employees need.
Improve Your Cybersecurity with ZenGRC
Many technologies exist to improve communication, collaboration, and productivity. It’s imperative to monitor the risks and data security concerns that come along with all of these tools. Security audits can be complex when several departments within an organization seek to apply their policies.
ZenGRC streamlines the IT audit process and workflows, starting with its vulnerability assessment module. The risk assessment modules provided by ZenGRC also offer insight into the vendor and corporate risk management processes.
Security teams can use ZenGRC to identify possible insider risks and respond quickly to them. The risk management templates from ZenGRC empower your business by offering a road map for assessing risk and mitigation.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, simple-to-use platform that not only maintains a proper record of your processes but also allows you to identify areas of high risk before they become a genuine issue.
Contact us today to schedule your free ZenGRC demo.
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
