Do you know what every person in your organisation is doing on the web, and what data they’re moving around? Any tool or system that has not been given the stamp of approval by management or the IT department is known as shadow IT – and is a significant cyber security risk. We’re not just talking about a few unsanctioned apps: it’s about the potential for serious security breaches and compliance nightmares.
With over 25 years’ experience helping businesses bolster their cyber security, I’ve seen firsthand how employees using systems without IT’s approval is a widespread and often overlooked issue. I understand the challenges of maintaining control over your vast IT environment.
So, what is shadow IT and how do you know you have it? This article will answer just that by providing practical strategies for identifying and managing shadow IT, so you can avoid unexpected expenses and maintain a secure, compliant, and cost-effective IT infrastructure.
–
Before we talk strategy, let’s talk a bit about why shadow IT is a huge internal security risk in the first place. It turns out that shadow IT can open up a whole can of worms – let’s unpack this scary bunch:
Shadow IT can introduce what I like to call ‘Trojans’: viruses and malware that sneak into your systems. This happens when data is pulled back into the business from unapproved repositories that may contain threats. Think of it like bringing a stray animal into your home – you don’t know where it’s been or what it’s carrying!
Apart from the filed expenses, are you aware of every single service or solution every person in your organisation is signing up for? If you’re like most SMBs, the answer is mostly likely no. But you’re not alone: Many businesses have stories where they have suddenly received a bill for additional hosting that they were not aware of – and no one approved.
When you’re auditing your data, how do you know that all your data is in one place? With data scattered across unapproved hosting environments, businesses can go from being very compliant to having no idea where their data is, making compliance impossible. This extends to AI by the way: shadow IT makes it difficult to know where your data is stored, especially when using AI to process or generate information – more on that later.
Now that we’re aware of the dangers of lurking in the shadows, let’s switch gears and chat about how to shine a light on your tech stack. A question that always pops up when I talk to my clients about deciphering whether they have shadow IT or not is, “How do you know what to prevent if you don’t know it exists?”. This is fundamental to ask because the more solutions you have in your tech stack, the more difficult it is to gauge which ones are helping or harming your business.
So, the first step in tackling shadow IT is knowing how to find it. You need to implement systems to scan your environments and see what applications your users are actively using. This may be quite daunting if you have a relatively large organisation, but tackling shadow IT doesn’t require a massive budget. There are many ways to gain visibility and control that are easy on the pocket – here are a few to get you started:
Monitoring web activity helps to identify if employees are using applications or websites not approved by the business. Without this visibility, identifying shadow IT becomes nearly impossible.
More often than not, employees work on their hosting environments on platforms like AWS or Azure for short-term projects. People might think, ‘I need to get this done by the end of the week. I’ll just spin this up and expense it later’. That simply can’t happen: remember, shadow IT is any tech solution that has not been preapproved – and that includes hosting environments.
In addition to monitoring, consider proactively blocking specific sites that employees should not be browsing during work hours, especially on work devices. This is not about blocking the obvious ‘not safe for work’ sites but has much more to do with ensuring that your company data doesn’t fall into the wrong hands.
While access to approved corporate systems should be permitted, measures should be in place to ensure employees cannot use personal accounts or methods to interact with these systems in a way that could compromise data security. What does this mean? Well, I’m glad you asked – let’s break this down:
The name of the game here is data loss prevention (DLP): ensuring that all data interactions within corporate systems are monitored and controlled. This of course prevents the unauthorised copying or transfer of data (what we in the biz call ‘data exfiltration’).
With our shadow IT detectors sharpened, let’s take a look at the bigger picture and how you can prevent or manage shadow IT. Building long-term security requires a multi-faceted approach. This means that to truly protect your business from threats like shadow IT, you can’t just rely on one solution. I like to look at security at multiple levels: from individual devices to your network’s edge.
Let’s go back to my Trojan metaphor: the antivirus software on your computer that protects it from viruses masquerading as harmless emails is basically what endpoint protection is – just supercharged and designed for businesses. “Endpoint” refers to devices like laptops, desktops, and servers. So, endpoint protection helps prevent these machines from being compromised and used to attack internal servers or Active Directory servers, which could damage the entire network.
Think of your company’s network as a castle. Edge security is like having guards at the castle walls (the “edge” of your network) to control who comes in and what they can do. It’s all about setting rules about where users can and can’t go, and what they can and can’t access. It gets very draconian, but from a security point of view, you don’t want your users going here there and everywhere either without that activity being monitored.
What’s worse is having a disgruntled user accessing your crown jewels (which is data in this case) – whether that’s financial information, proprietary code, or intellectual property. You want to avoid a situation where an employee shares sensitive information with competitors – which brings me to my next point.
We can’t talk about the tech without mentioning the people buying and using said solutions. In this article, I talk about what makes your employees the biggest internal security risk, but for now, I’ll say this: Keep a close eye on employee behaviour, especially those who’ve given their notice.
Imagine this: Laura, a long-time marketing employee, hands in her resignation. While everyone wishes her well, a silent clock starts ticking in the IT department.
The IT team flags Laura’s account, not because they distrust her, but because they need to ensure company data (crown jewels) remains secure. Tom in IT then goes ‘Right, monitor what that user is doing in more detail than others’. So, they monitor where she’s going on the web and what data she’s moving around.
But it’s not just about laptops and data transfers. Be aware that sensitive information can be shared in social settings, not just through technological means.
Perhaps Sarah mentions a new marketing campaign to a friend at a networking event, inadvertently sharing confidential information with a competitor. It’s not always about malicious intent or clicking on a ‘phish-y link’. Sometimes, it’s a casual conversation that poses a risk. This is why awareness and vigilance are so important, both in the digital and physical realms.
Shadow IT poses significant risks, including security breaches, compliance nightmares, and unexpected costs. By implementing the steps outlined in this blog, you can mitigate these risks and protect your business.
As a cyber security expert at Babble, I’m committed to helping businesses like yours navigate the complex world of cyber security – after all, these things are usually best left in the hands of a trusted partner.
Take the first step towards a more secure IT environment by reading my blog, Why Your Employees Are Your Biggest Security Risk to get a comprehensive understanding of how you can keep your business safe from all angles.