What is Shadow IT? – The Risks and Benefits of Shadow IT

What is Shadow IT?

Shadow IT refers to any information technology used within an organization without the knowledge or formal approval of its IT or information security department. Shadow IT includes hardware and endpoint devices, software and applications, and cloud services. Typical shadow IT found in organizations include:

• Hardware and Endpoint Devices: laptops, mobile phones, tablets, storage devices like USB flash drives and HDDs, network devices like routers, and IoT devices.
• Software and Applications: operating systems, office suites, web browsers, communication and video conferencing tools, graphics and design software, security software, and databases.
• Cloud-Based Services: software-as-a-service (SaaS), e.g., Microsoft 365, Google Workspace, Dropbox, Slack, and Salesforce; infrastructure-as-a-service (IaaS), e.g., AWS and Microsoft Azure.

The Rise of Shadow IT

While the term Shadow IT may be new to you, it has been around for a long time. Organizations have been using shadow IT since the days of the floppy disk and USB drive, which employees often used to copy data to work on their personal computers. The popularization of the bring-your-own-device (BYOD) policy around 2010 saw employees connect their personal laptops and devices to the office network for work-related activities. In recent years, shadow IT has seen an exponential rise due to the ever-increasing availability and utility of web-based SaaS applications.

Nowadays, employees can take advantage of a plethora of SaaS apps to assist them with their work, from office suites, email, file sharing and storage apps, video conferencing apps, collaboration tools, and productivity tools to image and video editors. Many SaaS apps are available for free or with inexpensive, short-term subscription options, making them highly attractive to employees and teams looking to get their work done quicker and more effectively. The rise of remote working due to the COVID-19 pandemic in recent years has also fueled the increase in shadow IT, as employees are forced to work on their personal devices and network and adopt cloud-based applications in less well-resourced environments.

Benefits and Risks of Shadow IT

The fact that shadow IT applications and devices are widespread in organizations indicates their undoubted value and convenience. However, while the use of shadow IT is rarely malicious, it is nevertheless seen as a risk from a cyber security perspective, which advocates the management of shadow IT to protect systems and data from compromise.

In this section, we examine the benefits and security risks of shadow IT to give organizations a better sense of what is at stake.

Benefits of Shadow IT

• Work Efficiency and Productivity: Shadow IT promotes work efficiency and productivity in two ways. On the one hand, employees and teams can start using IT resources immediately without going through the potentially lengthy process of making the request and waiting for the IT and finance departments to review and sanction their use. On the other hand, shadow IT resources may provide greater utility than those supplied and approved by the organization, allowing employees to complete tasks more efficiently.
• Increased Innovation: Shadow IT can also help organizations innovate. By allowing employees to use outside solutions, organizations can benefit from the creativity and ideas of their employees. This can promote new approaches to problem-solving and help organizations stay competitive.
• Improved Employee Satisfaction: Shadow IT can also help organizations improve employee satisfaction. By allowing employees to use the tools they need to do their jobs more effectively, organizations can make their employees feel more appreciated. This can lead to increased job satisfaction, user experience, and reduced turnover.
• Free Up IT Department: Given the prevalence of shadow IT, reviewing and approving the use of all IT assets in the organization would take an enormous effort from the IT department. This would take time away from other business-critical tasks, such as network performance optimization, troubleshooting, and resource planning.

Security Risks of Shadow IT

• Cyber Attack: Shadow IT in the form of personal laptops, mobile devices, and IoT devices leave an organization’s network vulnerable to cyber-attack. Without knowledge of or the tools to detect their presence, the IT security team has no way of ensuring that these devices meet security baselines, for example, whether they are installed with endpoint security software, whether operating systems, software, and firmware are patched and up to date, and whether there are any unsafe settings and weak or default passwords. Adversaries can pounce on any weaknesses and vulnerabilities to breach devices, spread through the network, and inflict a devastating data breach or ransomware attack.
• Data Leakage: Shadow IT can result in data leakage, that is, the unauthorized transmission of data from within an organization to an untrusted external destination. In the case of SaaS applications, user data is stored with the SaaS provider, meaning that the security of that data is at their mercy. However, web applications and their underlying infrastructure often suffer from vulnerabilities and misconfigurations, which adversaries can exploit to gain unauthorized access. For example, attackers can hack an application’s database using an SQL injection attack to steal sensitive data like user credentials and credit card information or wipe the entire database altogether.
• Data Loss: Data loss is any process or event that results in data being corrupted, deleted, and made unreadable by a user or software application. In the case of shadow IT, this can occur when employees use personal cloud storage solutions, such as Dropbox and Google Drive, or personal USB flash drives to transfer and store company data like customer information and intellectual property. Not only does the organization lose access to its data, but it may even lose the data altogether if employees were to leave the company or, in the case of paid storage services, their subscription has expired.
• Compliance Violation: Organizations are subject to various data protection laws, such as the EU General Data Protection Regulation (GDPR) and industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and healthcare insurance providers in the US. Organizations may face heavy fines, reputational damage, and loss of business in the event sensitive data like personal identifiable information (PII) is exposed as a result of using unauthorized shadow IT to transmit and/or store the data, thereby demonstrating a lack of due diligence in the protection of data.

Managing Shadow IT Risks

Despite the security risks posed by shadow IT, employees embrace it to gain fast, flexible, frictionless access to useful tools and applications. At the same time, organizations benefit from greater employee productivity and innovation. Therefore, the goal is not to prohibit the use of shadow IT but to manage the risks more effectively. The first step to doing so is to identify shadow IT assets. As the saying goes, “you can’t protect what you don’t know.”

Fortunately, we now have the tools to help IT security teams identify shadow IT assets. ForeNova’s NovaCommand is a Network Detection and Response (NDR) solution that uses passive scanning to detect all IT assets connected to the network. Moreover, NovaCommand also detects vulnerabilities, weak passwords, unencrypted traffic, and improper configurations to ensure that these risks are remediated before adversaries can take advantage.

Visit the NovaCommand product page to learn more about its features and capabilities!