According to Gartner’s Top 10 Cloud Security Predictions, by the year 2020, a third of all successful attacks on businesses will be against their shadow IT resources. Businesses can no longer ignore the risks of shadow IT and must take preventative steps against it.
In the past, shutting down shadow IT was much easier. You could scan your network for rogue wireless access points or for applications that are not approved and move quickly to shut them down. However, finding shadow IT resources is more difficult than ever due to so many applications running as a service in the cloud.
Why People Turn to Shadow IT
Shadow IT is the name used to describe any technology in your enterprise that does not have proper approval to run. It could be hardware resources; however, it is more frequently applications that people run as a workaround in order to get their work done more quickly or effectively. They turn to these resources oftentimes to:
- Circumvent bottlenecks
- Avoid processes that slow them down
- Rely on software they are familiar with
- Work with something that is compatible with their mobile devices
- Work with legacy applications that are no longer supported
Unfortunately, most people that rely on shadow IT only see the upside, that they get their work done and it makes their life easier. They don’t see the security risks of shadow IT.
1. Increased Risk of Data Loss
When an application runs outside of the IT team’s control, it does not receive the same attention when it comes to backup and recovery procedures. It is up to the person or department that is running the resource to take care of this. Without a proper backup and recovery strategy in place, or the resources to effectively handle these tasks, important data may be lost if there is an incident. This could have serious ramifications if the data is critical to business.
2. Increased Risk of Data Breach
Just as IT has no control over backup and recovery with shadow IT, they have no control over who is accessing the resource either. There may be contractors or employees with privileged access that shouldn’t have the ability to see, modify, or copy certain data. Employees that have resigned or been terminated may still have access. There is basically no control over who has an account and what those accounts are able to do.
You also have to consider credential theft as a possibility. With shadow IT resources operating under the radar, there is no one to monitor access logs to look for anything out of the ordinary that may indicate a breach.
This may seem contradictory since many people rely on shadow IT to get their work done faster, however, whenever a new technology is introduced into your infrastructure, it impacts resources. Before implementing anything new, the technology is tested to see what potential impact it may have and what needs to be done to remediate any inefficiencies it may cause.
When technology is implemented outside the normal business processes, it doesn’t undergo these checks. While it may make one process faster, it may cause bottlenecks somewhere else or create a single point of failure that risks the shutdown of a business-critical resource.
4. Cybersecurity Risks
Hackers often take advantage of vulnerabilities in software when they want to access something illegally. When a vulnerability is known to exist, the software vendor issues a patch for it.
IT and security teams take the patching of systems seriously. Patches are tested and applied based on the seriousness of the threat they address. When it comes to shadow IT, who is keeping an eye out for critical updates and patches that address security issues?
While an application may help get things done in the workplace, there is no guarantee that it is safe to use. There have been multiple cases of software having malware attached to it. When someone installs it in the workplace, it opens the door to any number of bad things.
Not all shadow IT resources are downloaded or found online for free. Unless they come from a reputable vendor and are purchased properly, there is no guarantee that what is used is legitimate.
Shadow IT continues to be a problem for Boston-area businesses, and since the cloud makes it easier for people to use enterprise level applications without the need for IT support, it will continue to gain traction.
To mitigate this problem, you need to be able to get your coworkers to understand the problems that shadow IT resources pose to the organization. If you are able to identify the reasons they are turning to shadow IT and propose workable solutions for them, instead of their rogue resources, you will stand a better chance at beating back this problem.