Shadow IT (also known as rogue, or stealth IT) is hardware and software that is used within an organization without explicit approval from management.
The guilty parties fuelling the rapid proliferation of Shadow IT are less roguish than you might imagine however and include everyone; from C-suite executives at the pinnacle of an organization, to new interns uploading their first notes on Google Drive.
Downloading cloud services has never been easier, plus more devices than ever are being used to house the extensive pick-a-mix of solutions and tools, including smartphones, tablets, and even smartwatches. What’s worrying for company Chief Information Officers is that many of these devices, used for both personal and business use, are connecting to corporate networks. More painful still is the fact it’s the apps that are designed to increase productivity that are especially vulnerable, reports Cisco. Of the 900 organizations the technology conglomerate surveyed, 27% of the apps being used were classified as ‘high risk’.
- Protect your devices with the best antivirus
- Keep your endpoints safe from growing cyber threats with the best endpoint protection
- Browse the web securely on the go with the best VPN
“Most users don’t realise or expect professional tools to be a target for cyber-criminals, however these apps often demand quite a lot of information and frequently require email accounts to work. This makes them the perfect vector for security breaches,” explains Mark Adams, Chief Customer Officer at cloud enterprise software company, Cloudmore.
Research group Gartner estimates that by next year (2020), one third of successful attacks experienced by enterprises will be on their shadow IT resources.
Up to 71% of employees are using unsanctioned apps
Shadow IT can be very costly, not only because of the increased security risk that it represents, but even in terms of a business’s day-to-day running costs.
According to a 2018 report by Symantec, the average enterprise uses 1,516 cloud apps, which is a staggering 40 times higher than they typically think.
These unapproved applications can gain access to sensitive data, and, in addition to that time-bomb, they are also, often, regularly collecting fees agreed upon by the user.
This creates two serious problems. First, the fees can roll on, even after the employee has left the company, and second, employees aren’t necessarily considering their organization’s long-term IT strategy. Frequently, the solutions they choose are incompatible with each-other, or the many apps being downloaded solve the exact same problem. This creates data silos, which is vastly inefficient.
As many as 71% of employees across organisations are using unsanctioned apps on devices of every shape and size, making it very difficult for IT departments to keep track of. These employees may understand what company data and private information is sensitive, but they may not know which cloud applications can track, store and share this data, or what ends up going into the public view.
A little rogue is okay
The large majority of employees are downloading productivity apps because they want to streamline their tasks and deliver better results.
“Companies should create processes that allows employees to suggest new tools to the IT Department to be assessed for sustainability as a company-supported tool,” says Adams. This keeps employees empowered, the company safe and limits the number of redundant apps being used.
Another developing phenomenon that is helping IT departments tackle the security threat are ‘Bring Your Own Device’ (BYOD) policies for staff. Work culture has transformed over the last decade and employees no longer want to be confined to their office desks to get tasks done. According to Samsung, 78% of employees agreed that BYOD helps them to achieve a better balance between their professional and personal lives. More employers recognise the value of giving employees this freedom and are therefore devising strategies to accommodate the change.
See here for an example of a BYOD policy drawn up by the UK National Health Service, where the security of data is especially critical.
Questions more organizations need to answer
Organizations need to pay more attention to what software and apps their employees are using. Below is a list of questions that will help your IT department to determine which services to eliminate and which resources to secure and enable.
- Which solutions and apps are employees and business departments using overall? Define these by category (file sharing, collaboration, social media).
- What is the risk level of each software solution?
- Which apps and solutions are most popular? Should these be assessed for enterprise-wide adoption?
- Which of the cloud services currently being used are housing sensitive or confidential data, and what are the security capabilities of these services?
- Which redundant cloud apps are employees using, and are they introducing additional risk, or cost?
- How do I quantify the risk from the use of cloud services? Should I compare it to peers in my industry?
- Which partners’ cloud services are employees accessing, and what’s the risk of these partners?
Karen Turtle, Editor and Content Manager at Cloudmore