The average enterprise uses over 1,000 cloud services – but the IT department only knows about roughly 100 of them. This phenomenon is known as shadow IT: the practice of employees bypassing official corporate applications in favor of different ones, without the knowledge of the IT department. This is usually done out of convenience, familiarity, ease of use, or to boost productivity.
From a productivity standpoint, shadow IT has a range of benefits. Thanks to the rise of cloud applications and collaboration tools – such as Slack, Monday, Dropbox and so on – employees feel empowered to download services that make them more productive and efficient. However, for IT and security professionals, shadow IT is nothing short of a data security nightmare.
In fact, the browser has become the most popular method of delivering software, and the ease of installing ‘thin clients’ from websites is increasing the adoption rate of shadow IT.
With steep regulatory fines and corporate reputation at risk, security violations are a serious worry for IT leaders. And shadow IT is a breach just waiting to happen.
Every day, employees are uploading, downloading and transferring sensitive data across unknown cloud applications and devices. Just one unsecure network, one phishing email or one piece of malware could result in data theft or exposure, leading to a hefty compliance fine and the company’s name splashed across headlines in an unflattering way.
To give you an example, let’s say your employees use WhatsApp to share files or chat with colleagues. Back in 2019, researchers found a vulnerability in the app’s VOIP function, which meant that attackers could inject malware into a device simply by calling it. That same year, news broke that a group of human rights lawyers in the UK suffered a malware injection on their phones, as a result of this vulnerability.
This is just one example of thousands of shadow IT risks, and further research shows the enormity of the problem:
While shadow IT is not a new risk, its adoption has sharply risen during the pandemic. There are four main reasons for this:
Remote working teams: Pre-pandemic, employees used to work under the same roof. If they needed to speak to each other, they could do so in-person and quickly. Now, corporate teams are often hundreds of miles from each other. To communicate promptly and effectively, many are tapping their favorite collaboration and communications tools – some of which may not be on the IT approved list. In one survey, 67% of respondents admitted to using their own unvetted collaboration tools, while 82% pushed back against IT’s vetting process.
Work from home setups: Outside the confines of the office, employees may become more relaxed about using unofficial IT channels and devices to accomplish tasks. For example, they may choose to work from their personal computer or mobile, or use unauthorized cloud applications to help them get their work done.
Blurred distinction between work and personal life: As employees live and work at home, the line between using devices for work and personal reasons may start to blur. For example, an employee could download music from a dodgy website onto their laptop, or they might access their work email from an unsecure free Wi-Fi connection while at the mall. This introduces new attack vectors and greatly escalates risk.
Malicious opportunists: Cyber attackers are capitalizing on these changes in the workplace landscape, taking advantage of the pandemic disruption to find new vulnerabilities and exploit unwary workers. In fact, research shows that 71% of organizations have experienced an increase in cyber-attacks since the start of the outbreak. The same research indicated that almost half of these attacks are the result of shadow IT.
IT teams cannot turn a blind eye to the risks of shadow IT. If they do, it’s only a matter of time before sensitive data is stolen or leaked. At the same time, trying to stop employees from using unofficial apps will just cause them to find new ways to circumvent IT policies. After all, some of these applications can actually be a boon for productivity and innovation.
What’s needed, instead, is a focus on securing sensitive corporate data, no matter where it travels to. Here’s how organizations can implement this:
Harness the power of DLP CASB: The right cloud access security broker (CASBs) is an indispensable tool against shadow IT usage, helping IT teams gain insight and visibility in cloud environments. Organizations should look for a solution based on APIs, as this checks and analyzes any and all traffic that goes in and out of cloud applications. Next-generation CASBs also integrate DLP capabilities, helping organizations secure sensitive data over weak points like chats, file sharing and data storage platforms, and even codebases.
Use the principle of least privilege: To further protect against data leakage and theft, CASB deployment should be combined with rigorous access privileges, meaning employees are only given access to the information and resources needed to do their jobs. This can prevent a cyber attacker or an insider threat from leaking or stealing sensitive corporate information.
Zero trust: In the remote work era, it’s more difficult than ever for IT teams to verify log-ins as authentic. That’s why a zero trust approach is needed. It is a model for substantiating access requests for users, endpoints, applications, networks, and infrastructure, to ensure employees are who they say they are, and that they have permission to use certain files.
Assess the landscape: Shadow IT is a dynamic issue; employees are discovering and downloading new applications by the day. According to Microsoft, up to 80% of employees use unvetted apps. As such, IT teams’ shadow IT management must also be an ongoing process. Enterprises should use vulnerability scanning tools to conduct regular security assessments, with the aim of spotting unverified apps, misconfigurations and unpatched software.
Be open to change: Employees use unsanctioned applications mainly because they aren’t satisfied with the user experience offered by the enterprise solution. IT teams should therefore be open to employee suggestions about new applications and processes. By establishing policies that encourage employees to request new cloud solutions, IT teams can increase visibility into shadow IT usage instantly, while also improving workplace processes and retaining the trust and goodwill of workers.
In the age of coronavirus, the risks of shadow IT are higher than ever. However, a data breach need not be inevitable. By taking a proactive, data-driven approach to cybersecurity, IT teams can prevent a costly cyber-attack, while also enabling employee productivity and innovation.