There is some debate within the corporate world about how much of companies’ IT spending goes towards shadow IT. That is, the solutions that are not sanctioned by the IT department but by other business units instead. Estimates suggest it could comprise 30%, 40%, 50%, or even more. For the sake of both security and finance, shadow IT monitoring is essential.
A growing interest in remote working necessitates convenient solutions, such as employees using their own devices to carry out their work. This means that the adoption of shadow IT will only rise if unchecked. This article explores the risks of shadow IT, the most effective methods of monitoring its use, and ways to mitigate the potential consequences.
What is shadow IT risk?
Employees may not see a problem with shadow IT. For them, it means finding their own solutions to issues that they have. This usually involves software that is convenient to them and aligned with their workflow – software they can implement right away without having to wait for IT approval. Examples include:
- Using DropBox to send and receive large files
- Using a personal USB drive to move data between home and the office
- Using their own phones to email or text business-related matters on personal accounts.
But for IT teams, shadow IT risk is a real concern. Use of unauthorized apps and devices can lead to:
- Breaches of network security
- Compliance concerns over data privacy
- IT being kept in the dark and being unable to mitigate threats
- Data silos preventing sharing of important information
- Wasted money on duplicate licenses.
The 9 key steps to monitor shadow IT
1. List approved services and practices
If IT is visible in its advocacy of the services, apps, and practices that it approves for use within the organization, this makes it easier for staff to make the right choices. Sometimes, the use of shadow IT by employees occurs because they just don’t realize there is a sanctioned solution.
This requires some work by IT to make it a streamlined and user-friendly experience for employees that are often tempted to use shadow IT because it’s an easier process.
Consider setting up a central portal of apps where employees can search for a solution that they can download and use immediately. In addition, by setting out policies for best practices when sharing documents and files, for example, you can prevent some risky behavior in these areas.
2. Use shadow IT discovery tools
One of the problems with shadow IT is that it exists in a blind spot for the IT department. What you cannot see, you cannot control, and not having control over something like this within the company’s network could be very dangerous.
Vaultry searches your network to discover shadow IT and help you gain the level of visibility that you need. According to a recent survey by Entrust Datacard, 77% of IT professionals say that shadow IT will become a large problem for organizations by the year 2025 if left unchecked.
3. Monitor all apps and their usage
Monitoring the apps on your network is essential. This doesn’t just mean logging which apps you know have been downloaded; it involves digging down and seeing which apps are active and how much they are being used.
Use Vaultry to track the usage of every device within your organization and understand the threats that shadow IT is bringing to your business. You need to understand which programs people are using, when they are using them and how they are using them. This is the only way to gain a complete view of shadow IT within your business.
4. Protect your approved applications
You have the most control over your approved applications, and that means that you can protect them and their usage by employees. Adjust the security settings to their highest possible level, requiring users to undergo multi-factor authentication (MFA) before they access the apps, for example.
You can limit which devices people can use to access the programs as well as the locations in which they can access them. This, for example, helps prevent bad overseas actors from tricking their way into your systems. Website and app tracking programs also monitor employee app usage, which helps you pinpoint the sources of any attacks.
5. Engage and educate your employees
Communication with employees is absolutely essential to work together to reduce the use of shadow IT. They may genuinely not realize the potential problems with using unsanctioned software or their own devices.
IT departments should work with employees to inform them of the dangers of shadow IT and help them understand the frailties it can bring to the network.
In addition, they might not know that there is an IT-approved solution for the problem they used shadow IT to tackle. If there is, you must signpost it and promote its use. Or, there might already be a company-owned license of a product that they have signed up for separately.
6. Create policies for cloud app usage
Cloud apps are a common element of shadow IT. They enable easy sharing between team members, which makes tools like Google Docs so popular. However, they can also open up a vulnerability in your network.
This is a reason to ensure there is a strict policy over using cloud apps at work. Necessitating password protection, MFA, and only sharing with members of your organization are all ways to reduce the risk of using these programs. You might also want to restrict the devices on which employees can use these apps to those owned and monitored by the company.
Make sure these policies are communicated to employees and enforced.
7. Track recently accessed shadow applications
If there is a lot of activity surrounding a certain application, that could suggest that there is an ongoing attack. This is why it is key to keep an eye on the access activity in your logs.
As there are potential vulnerabilities caused by unauthorized downloads and other programs, you need to be alert to these kinds of threats, bot attacks, and malware activity. If there are many different users trying to access the same program, you can take steps to remove it from your systems.
8. Automatically block unsanctioned apps
Another way to try and eradicate the threat of shadow IT is to block any app on your system that is not featured on your list of approved programs. Set in place an automated process to remove anything that is not on your IT whitelist.
9. Set up an employee feedback channel
If your employees are using shadow IT, it may also mean that they don’t have an easy and quick way to get the tools they need from IT. Developing a feedback channel allows them to tell you directly what they need and to plead their case.
If there is a current solution, you can direct them toward it. If there is not, you can work with them to find a solution that works best for your organization and that you know to be secure and effective. If employees know there is a streamlined process to request and access the tools they need for their job, they are less likely to seek out their own, potentially problematic program.
Which security control can best protect against shadow IT?
It would be best to install preventative and detective security controls. For example, you can use software such as Vaultry to detect shadow IT apps the moment they enter your network and to identify the ones that are already in use. You can also invest in employee training as a security control to prevent the use of shadow IT and educate employees on how they can obtain the solutions they need with IT approval.
What technology falls under shadow IT?
There are four main types of shadow IT technology. They are:
|Hardware||The computers, tablets, smartphones, and other devices used on your network|
|Software||Packaged software installed on your network|
|Apps||Downloaded applications for communication, project management, and more|
|Cloud-services||File-sharing tools like Google Drive and Dropbox|
What are the financial risks of shadow IT?
The financial risks of shadow IT include those caused by attacks on your systems, the potential sanctions imposed for data leaks, and the overspending on duplicate or unused licenses for apps and other programs.
Shadow IT monitoring is essential for making sure that unauthorized programs and devices on your network do not cause damage, both financial and reputational, to your organization. Understand why your employees are using unsanctioned tools for their jobs and put in place policies to ensure that if they do this, they use this type of software in a responsible and safe way.
Vaultry is a shadow IT monitoring tool that alerts you to unauthorized items on your network that could cause you problems. You can monitor all devices in the business and take immediate action as soon as there is an alert. Get started with Vaultry today and protect your business.