Shadow IT: the cyber threat hiding in plain sight

Welcome to the world of shadow IT.

What is shadow IT?

Shadow IT is the use of any software or hardware that is not formally approved and supported by a company’s IT department. These can include PCs, laptops and other hardware, off-the-shelf packaged software, and cloud services such as software as a service (SaaS). The increased use of cloud technology, in particular, is driving the growth of shadow IT within organisations. That is because employees often turn to tools that give them a sense of control, is a more productive alternative to an approved tool or is a product they want to only use once.

A common scenario sees a manager purchasing an application for a project with the intention of cancelling it after the project is completed. Without notifying the appropriate IT department of the transaction, there is no record that the software has been purchased or used and, as a result, whether it should be included in the company's SaaS spend analysis.

The problem is a growing trend. A survey by Gartner found that a third of successful cyber attacks came from shadow IT, while Entrust found that more than two thirds (77%) of IT professionals felt that shadow IT was going to become a major issue. As far as many organisations are concerned, shadow IT is living up to its name: hiding in plain sight, with the threat only increasing.

Shadow IT can be a threat to businesses in two ways: first, it is very difficult for a company to have visibility of any form of shadow IT because it is not coming in through a company’s formal processes. Second, legacy software that was once formally approved by the IT department, but is no longer supported by the company, can also cause security and continuity issues if it’s not deleted.

The attraction for employees is clear: shadow IT can improve the speed at which they can perform their jobs. A lot of the time, a department will have its own requirements regarding the software or hardware it needs. The challenge is then navigating the corporate bureaucracy that often exists to get the green light for a piece of software or hardware. Perhaps unsurprisingly, when time is of the essence, teams can get frustrated and are prone to just buying or downloading it themselves.

As outlined above, users have become more comfortable downloading and using apps and services from the cloud to assist them in their work – a trend that has accelerated with the increase in working remotely post -pandemic. In the case of cloud-based applications, or other services used by developers – the biggest category of shadow IT – assets can contain vulnerabilities and, as a result, the risk of data breaches and other liabilities increases.

The risk of shadow IT is clear: if you don't know the scope of your company’s IT, you cannot protect or update it. By definition, shadow IT falls outside the view of IT security, increasing the probability that vulnerabilities will go undetected. Other risks of shadow IT are risks related to compliance, loss of productivity and continuity, data loss and leakage and financial risks.

How to mitigate the risk of shadow IT

Similar to preventative actions for other types of cyber threat, educating your people should be top of your list. Communicate, collaborate and train all of your employees on the dangers of shadow IT, as well as making the formal procedures they need to follow to get the software or hardware they need as fast and as frictionless as possible. Monitoring your network traffic and ensuring visibility and control of all devices, applications and systems should also be happening constantly.

It is possible to mitigate the risk from a technical standpoint by making it impossible to download unapproved software, or to connect to your network without a notification, but that only goes so far. It is still very easy for an employee to download a cloud application and use it without anyone knowing – then it’s just a question of whether that app has assets that contain vulnerabilities. Other measures for reducing the risks of shadow IT are the usual security measures such as network segmentation and introducing policies for ‘bring your own device’ (BYOD).

While allowing your staff to download their own software or use their own hardware can be liberating and speed up processes, if left unmanaged the threat it poses is significant. For many businesses, shadow IT needs to come out into the light – and fast.

Read Mazars’ latest report, Future-proofing cyber security in an increasingly digital world, for an in-depth guide on how to understand and mitigate cyber risks.