Are you aware of the unauthorised apps lurking in your office systems without the knowledge of your IT department? Welcome to the world of Shadow IT.
According to a Microsoft study, 80% of employees contribute towards shadow IT by using unapproved applications for work, including an average of seventeen cloud apps.
What’s worrying is that many organisations have no visibility into what’s in use or whether these apps meet security, privacy, and compliance requirements – and therein lies the danger.
Shining a Light on Shadow IT
Simply put, shadow IT is where devices, software, and services are used by your employees without the ownership, control, or sometimes even the awareness of your IT department.
This isn’t as straightforward as employees logging into Facebook on their work devices during a lunch break: the issue extends to apps that are designed for workplace use, such as Asana, Trello, and Slack, as well as more untrustworthy apps that pose a more obvious security threat. All of these resources, when they are used without authorisation, fall under the umbrella of shadow IT.
Usually, an employee would request the permission of an organisation’s IT department. Once notified, they can run the relevant risk assessments and bring the application into the security fold. The problems start when employees skirt around these procedures and are exacerbated by the growing reliance on the cloud, as well as traditional on-premises apps.
Why is Shadow IT So Harmful?
By downloading these unapproved apps, your employees undermine the organisation’s security efforts, with applications existing outside of the security perimeter, and by extension, the IT department’s control.
Overall, shadow IT poses a huge number of risks for your organisation, many of which are not apparent.
- Unencrypted data storage and connections to services,
- Lax password and authentication requirements,
- Inability to meet eDiscovery requirements – which are vital for GDPR,
- Backup and recovery that doesn’t meet internal standards,
- Legal issues regarding who owns what data when using a cloud service,
- Users unwittingly sharing sensitive data through public links,
- Non-compliance with varying international and industry regulations.
What’s worse is the scale of the problem. It’s estimated that employees use around fifty different SaaS (Software as a Service) apps and the actual number could be up to fifteen times greater. Considering the percentage of those apps that are likely to be unauthorised, it’s a significant issue.
Tackling the Problem
If shadow IT is uncovered in your organisation, your gut reaction might be to immediately cancel access to these services and software. Unfortunately, this is somewhat akin to trying to hold back the tide; you can bet that your employees will always find ways around any restrictions you set.
Besides which, rigid control over your employees’ access to apps and systems could deter innovation and stifle productivity. There’s something telling about employees turning to unsanctioned team management apps, simply because your current setup isn’t meeting their needs.
Embracing productivity apps with the approval of your IT department could be the way forward. Keeping ahead of the curve and meeting your employees’ needs will also have a positive impact on your organisation’s ability to keep high-calibre talent engaged.
Instead of attempting to block shadow IT, consider how you can provide the flexibility your employees need, whilst ensuring that the necessary protections and security are in place for on-premises systems.
Traditional security solutions – such as firewalls, intrusion prevention systems, and data loss prevention tools – are not designed to give IT comprehensive visibility into, or control over, how employees are using apps and cloud services.
Instead, what’s needed is a set of tools that are specifically designed to monitor how employees are using cloud applications, help manage risk across the cloud services in use, extend internal security requirements into the cloud, and help enforce reasonable and effective SaaS policies.
How Identity Experts Can Help
Fortunately, help is at hand to fight shadow IT, in the form of a Cloud Access Security Broker.
A CASB extends your security policies into the cloud. It starts by giving you a detailed picture of what cloud applications employees are using and provides you with the tools to control that usage and protect your organisation.
It begins by first discovering all the cloud applications and devices in your network and providing a detailed risk assessment for each service discovered. Modern CASBs will collect information from firewalls and proxies, assigning an individual risk score to each SaaS app that allows IT to determine which apps to sanction.
A CASB will then provide IT comprehensive control over sanctioned apps and will automate enforcement of their policies, e.g. automatically restricting the ability to share sensitive data with users outside of your company who shouldn’t have access to critical company data. This is especially important if you operate in a highly regulated industry, such as finance, healthcare, or government.
With comprehensive visibility into how employees are using the cloud, a CASB will then provide you with ongoing enhanced threat protection for your cloud apps and help you to stay ahead of cyber threats. A high-level CASB will use machine learning to understand how each user interacts with each SaaS app in order to detect suspicious and impossible use scenarios, for example multiple failed login attempts, simultaneous logins, or the sudden download of terabytes of data.
A Problem with a Solution
Hopefully, the above has both drawn your attention to the risks of shadow IT, whilst alleviating some of your fear. Although shadow IT might feel like an insurmountable challenge, hidden in plain sight, organisations can take comfort in the knowledge that there’s help out there – and that they can take control back without stifling their team’s innovation.
After all, that’s the heart of the situation: striking a balance to keep your employees both safe and happy, without succumbing to the threats posed to third party applications – and by extension, your organisation.
To find out more about shadow IT, how it can affect your business, and how best to root it out, get in touch with our team – they’re always happy to help.