Uncovering the hidden risks of Shadow IT

Controlling a known risk that’s posing new challenges

As a result of the 2020 Covid-19 pandemic, more of us are working from home more often, this means there’s a lot more for you to think about concerning user behaviour, activity and security.

And when we say “more”, we really mean “more”. The number of employees working from home has tripled recently, and 84% of businesses anticipate broader or even permanent WFH programmes. As a result, 66% expect increased security threats, and 63% foresee that compliance risks could be exposed.

These are daunting statistics, and we know that managing your IT services remotely brings about its own challenges. How can you keep everyone online, productive and secure with no visibility of what they’re doing? Or, importantly, how they’re doing it?

In terms of danger to your business’s security, shadow IT – that is, using devices, software and applications without IT department approval – is another pandemic we’ve got to think about.

While a member of your team using Dropbox instead of the company-approved file-sharing system might not seem like a huge issue, it could be. As many as one third of successful attacks on enterprises targets data that’s held in unsanctioned IT resources.

So, what can you do about this liability lurking outside your field of vision?

Origins of Shadow IT

Risks of shadow IT may seem ominous, but its origins are perfectly innocent.

One of your people struggles with their Android work phone or Windows laptop, so they install your email application on their iPhone or MacBook to get more done, more efficiently; a common switch-out known as Bring Your Own Device (BYOD).

Another has found a spellcheck plug-in that helped them excel in their latest Zoom pitch. And speaking of Zoom, one of your teams finds a better connection on that, dialling in using their personal account, despite the fact you exclusively use… well, Teams.

These small cracks in how things are usually done can be harmless, and might even lead to innovation and enhanced productivity. More than 11,000 Software as a Service (SaaS) products are now available to all of us at the click of a button, opening up a world of possibility and opportunity for development.

Controlling shadow IT

However, the unapproved and unmanaged use of these apps, as well as personal devices and other new software, can result in sensitive data leaks. Tools that work directly with cloud servers can skirt around virtual private network (VPN) connectivity that would tie their use back to the controlled corporate environment.

The problem becomes compounded further when one person’s use of a new system has a knock-on effect. After all, “so-and-so in Finance is using Slack. Why shouldn’t I?”.

What’s more, only 59% of organisations have a formalised BYOD policy. Organisations that previously set up VPNs may have done so assuming – correctly, at the time – that only a certain percentage of their employees would be working from home at once. And security teams don’t have the means to see how data is being accessed and used, making it impossible to enforce data protection policies.

Control the spread of shadow IT

The good news is, there are things that can be done to control the spread of shadow IT. and cloud security. No mask or sanitiser is required.

The first step is acceptance. Despite its risks, shadow IT can save employees time on gaining IT approval, enhance their productivity and empower them to configure powerful new tools in just minutes. The IT team shouldn’t be a dictatorship, either, and it would be wrong to stifle users’ efficiency or to let them struggle on with systems that simply don’t work for them.

The second is finding a middle ground. Use your internal monitoring shadow IT and control solutions to see who’s doing what, how, and where. Take the time to distinguish between “positive” and “negative” shadow IT, understanding why people are using unapproved tools. Offer alternatives or make apps and devices as safe as possible if they’re potentially harmful. If they’re not harmful and that’s what people prefer, consider adopting them throughout your enterprise.

Finally, think about the future. Reconsider your security strategy, making sure it’s appropriate and useful for the modern workforce, putting your people and data at the forefront of your growth. Put a BYOD policy in place. Scale capacity and increase access to cloud applications, to the extent it’s possible.

Expert guidance for unexpected risks

And above all, seek the guidance of an expert who can help you do all this effectively.

There’s good reason visibility makes up a third of our ethos, alongside intelligence and control.

As specialists in cyber security, we invite you to join our dedicated webinar that can help you identify and mitigate the risks Shadow IT is bringing to your door – and enjoy its benefits, too.