Shadow IT, a term that refers to the implementation and utilisation of IT solutions and platforms without explicit organisational authorisation, is the hidden threat at the heart of many Irish organisations. While the impact of shadow IT was initially limited, the growth of cloud services and mobile working has prompted many employees to adopt services that enhance their ability to work on-the-go without first seeking approval from the IT department. As a result, IT departments don’t have the oversight that they once did. Over the course of our next two blogs we’ll take a look at the concept of shadow IT, how and why it comes about and what you can do to prevent it.
By 2020, a third of attacks on enterprises will be directed at their shadow IT resources
Once a relatively obscure concept, shadow IT is a term that has gained widespread prominence due to the potential financial and reputational damage posed to organisations by increasingly sophisticated cyber security threats.
The term refers to software that is rolled out without the authorisation of the IT department and therefore exists on an organisation’s network without the knowledge of the teams responsible for maintaining the security and integrity of the network. For this reason, shadow IT can leave sizeable vulnerabilities in a company’s information security strategy, leaving them open to attack. A recent report from Gartner found that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
Shadow IT traditionally stemmed from workers rolling out new programs within the network to fill perceived gaps in their existing software suite. This highlights that shadow IT rarely arises through malicious intent, but through employees trying to be proactive. Many organisations have now put better controls in place, restricting the ability to install new programs on the network to system administrators.
Whether or not your business is in the cloud, chances are your employees are
However, with the proliferation of cloud services, the challenge of combatting shadow IT has expanded outside the network. Users can access cloud apps without installing any programs on the network and as a result, the utilisation of these services will often go undetected. The only sign that anything unusual is going on is a higher rate of traffic coming through the company firewall.
The key thing to bear in mind is that the majority of employees using unauthorised applications and services are not doing so with the intent of hurting your organisation, but rather to be able to do their jobs as effectively and efficiently as possible.
For example, a user that finds themselves unable to send a particular file type via email might try to be proactive and utilise file sharing application which can be used through the browser and without downloading any files that might cause the IT department to become suspicious. The danger of such an action is that the IT department has no oversight of what information is leaving (or entering) the organisation. As the majority of these services are browser-based, the firewall will not be able to automatically restrict the access to specific cloud services, or prevent data being transferred to/from those services, unless your IT team has specifically added rules to block those cloud applications. The challenge to IT is that new cloud services are becoming available at such a rate that it’s impossible for them to always know which traffic to block, and to which IPs. As a result, malicious code could quite easily penetrate your network, or sensitive information could be leaving your network to be stored in services unknown and unmanaged by your organisation.
Another consequence of shadow IT is that it can render your compliance work void. If, for example, you carry out a programme of work to achieve ISO 27001 compliance and then employees utilise cloud services without explicit approval, your organisation will no longer be complaint to the standard.
The examples above highlight the importance of educating your employees about the risks of shadow IT. The crucial point to remember is that shadow IT frequently stems from a genuine need for services or applications that your employees don’t currently have access to.
If you would like to speak to our subject matter experts for further advice, call us: 1800 718 850 or e-mail: info@ward.ie.