Bypassing the IT department to implement software solutions for work is not a new phenomenon. Known as shadow IT or rogue IT, it refers to any software used that doesn’t have the explicit permission of the IT department. Unfortunately, this can lead to a host of shadow IT problems that can affect the business in a range of ways.
Pre-Covid, Gartner reported that 47% of business unit leaders selected their own unauthorized applications because they felt that they had a better understanding of their requirements than IT. But during the pandemic, this adoption of utilizing unauthorized third-party software increased even more dramatically, as employees worked remotely and without access to all of the tools usually available on the office network. This article explores the potential issue of this method of working and how to avoid shadow IT hazards.
Why do people use shadow IT?
There are many reasons that business units and even individuals use unauthorized third-party applications for work purposes. These include:
|It can take a long time for a software request to be approved and installed by the IT department.
|Dissatisfaction with the employer-provided tools
|In-house solutions might be buggy or not integrate effectively with other programs they need to use for work.
|Different departments understand their own needs and requirements better than anyone else, including IT. Rather than having to plead the business case, they take matters into their own hands.
|Challenges to remote support
|When people work from home on their own network and often with their own hardware, it can be difficult for IT to offer full support. This leads to them finding their own solutions.
|Bring Your Own Device
|Instead of having separate devices for work and home, employees often prefer to have one device for all tasks. This makes companies feel obliged to allow a Bring Your Own Device policy in order to prevent them from leaving for businesses with more flexible policies. However, this means that employees have work-related apps alongside unauthorized programs.
|Frankly, one of the benefits of shadow IT is that it is so easy nowadays. There is a multitude of cloud-based software as a service (SaaS) solutions available to help with all aspects of work on a subscription basis, providing more opportunities for employees to use them in their daily work life.
The most common sources of shadow IT
There are four broad categories of shadow IT. The majority of the unauthorized programs used in workplaces today fit into these groups:
|Examples of shadow IT
|Internal file-sharing programs can be configured to offer high-level security that using solutions such as Google Drive and Dropbox do not offer. However, many employees will use these commercial options in their personal lives and be comfortable with them and their features.
|Whenever you share important business information on a third-party app such as WhatsApp or Facebook Messenger, you leave yourself open to leaks. However, they are the tools that employees use for other communications, so it is second nature to carry out business over these channels.
|Tools for collaboration, productivity, and project management like Asana, Slack, and Basecamp are great for keeping work on track and often come with free versions that are ideal for small teams to utilize. However, they do not provide the security that comes with an IT-developed solution specifically designed for the job.
|The use of personal email accounts for work purposes is more and more common as the number of remote workers increases. This could be done accidentally via the mail app on their phone or laptop, which handles both types of email. Alternatively, it could be because they can only access work email through a browser, and it is more convenient to email from their mail program where their personal email is already active.
Shadow IT problems and risks
Data loss and data leaks
Using unauthorized software means there are security gaps that IT does not know who is using which programs and can struggle to successfully defend the organization against external threats. This can lead to attacks that result in data loss and leaks from within the organization.
When employees run business-sensitive content through an app that IT has no control over and often no knowledge of, there is a chance that the data could land in the wrong hands. These apps can be vulnerable to hackers, especially if the user’s login information does not meet IT’s standards for its internal systems.
Employees can also accidentally leak information by setting the wrong sharing preferences or tagging an external user by mistake.
Unpatched vulnerabilities and errors
Inside a business, it is the responsibility of the IT department to ensure all software is up-to-date and functioning correctly, patching any vulnerabilities that are spotted or that the manufacturers of the software alert to.
When users within the company use products that IT does not know about, it cannot be fully satisfied that it has successfully patched all weak links in its security protocols.
If users do not immediately update to the latest version of the shadow IT programs that they use, they leave the entire corporate network open to attack and abuse.
Only authorized personnel should have access to the data collected, stored, and processed by the organization. Any breaches of this security can lead to huge reputational damage for the company due to the privacy issues that it raises.
In addition, it could place the business in breach of legislative and compliance obligations in many jurisdictions, such as the Federal Trade Commission Act in the US and the General Data Protection Regulation (GDPR) in the European Union. This can lead to punitive financial sanctions and even prosecutions, depending on the outcome of the attack.
Using programs that are not verified can lead to third parties accessing the company’s IT infrastructure, and the results can be extremely damaging to the business.
Another problem with providing access to data to unauthorized users is that you lose control over who can change business-sensitive data on your systems. This can be a deliberate malicious act or accident due to people who find themselves in a position to affect data because of a vulnerability in the system. In any case, changing the information can have disastrous results.
This can lead to employees being deployed to incorrect and potentially dangerous locations, misdiagnosis of patients, massive over or underordering of products, and many other situations that are detrimental to the business and its people.
Introduction of viruses into the system
The dangers of a computer virus making its way into your organization’s IT systems cannot be overestimated. Cox Media Group (CMG) was the victim of a ransomware attack in June 2021. It stopped the company’s live broadcasts on TV and radio and left the data of 800 individuals vulnerable, with the attackers demanding money to remove the virus from the company’s servers.
The use of shadow IT can increase the risk of similar incidents caused by employees downloading infected attachments from external email accounts or any other vulnerability in shadow IT that hackers might exploit.
Another issue with using shadow IT for work tasks is that it does not feed into the company’s main reporting channels.
This can make monitoring and data analysis on the functions of the business difficult. Without accurate insights on performance, due to some of the outputs being hidden from the main IT systems, the company cannot accurately identify and address problems with workflow or other systems.
The result is less efficient processes that affect the company’s bottom line negatively.
Shadow IT can prove expensive. IBM estimates the average cost of a data breach is around $8 million. Just one of the many financial risks of shadow IT.
There are a number of financial risks of using shadow IT. As mentioned above, there is the potential for sanctions for data breaches, ransom demands by malicious actors, and inefficiencies within the business.
In addition, using shadow IT can see multiple departments spending money on running apps that offer functionality overlapping with the official IT-sanctioned solutions. This is a waste of money for the business.
More potential points of failure
The more different unauthorized apps used in an organization, the more vulnerabilities there are and the more points of failure there are for your IT security.
This means that the IT department is constantly firefighting and searching for more software that needs monitoring, securing, and updating. This makes managing shadow IT extremely time-consuming; it can be nearly impossible to close every possible route through which a malicious actor can access the network.
How shadow IT tools can help
A shadow IT tool monitors your systems to alert you to threats on every device that is connected to it, creating a line of defense against the vulnerabilities of shadow IT. This saves time and manual effort from the IT function and helps you keep a virtual eye over the activity on your internal systems, regardless of whether your users are utilizing approved programs or rogue IT.
Shadow IT platforms send you alerts as soon as a vulnerability arises, which means that you can nullify it before it exposes the company to damage.
Does BYOD increase the risk of shadow IT?
When employees carry out work on their own devices, there is an increased risk of shadow IT being used for company business. The user will often have their personal email and favored apps on the phone. This makes it more convenient for them to use solutions such as Dropbox to share files rather than company-approved programs.
What is shadow infrastructure?
Shadow infrastructure is the use of a range of shadow IT for a project without the knowledge or permission of the IT team.
What is shadow IT discovery?
Shadow IT discovery is the practice of employing tools to monitor your IT systems and detect the use of shadow IT by users. This allows you to identify vulnerabilities before they cause issues for the organization.
For all the benefits that using third-party software offers to users, such as speed of implementation and convenience, there are real shadow IT problems that stem from this. It is very difficult for IT departments to manually monitor the threats and to ensure that all software is secure.
Thankfully, shadow IT monitoring platforms like Vaultry can perform this task automatically. It monitors your systems and provides alerts on unofficial software that allows IT to protect the business more effectively. Learn more about Vaultry.