When employees at your company use software, apps, and devices that the IT department has not sanctioned, this is referred to as shadow IT. Although these solutions might be more familiar and comfortable to your employees, they can bring vulnerabilities to your network and lead to substantial financial and reputational losses. And this is why we created this shadow IT security checklist. It’s a good place to start when you need to protect your business.
In the 12 months to September 2022, there was a 7% increase in cyberattacks on US businesses, with 47% of companies in the country reporting an attack. It is not surprising that IT professionals reported they were more concerned by cyberattacks than any other form of risk. A total of 46% said that they were their primary worry, beating the pandemic (43%) and skills shortages (38%).
Why is shadow IT difficult to manage?
IT departments have no visibility on the software and hardware solutions that employees use away from those that they approve. This means that you have no idea who is using which programs and where the vulnerabilities are. Without this oversight, it is more difficult to predict and prevent threats to the security of your organization.
You lose control of your protection efforts because you cannot be sure what you need to do to keep the company safe. You might find yourself having to be reactive to threats instead of being able to be proactive.
With no direct way of managing shadow IT, the chief information officer (CIO) and their team cannot ensure that everyone is using the latest and most secure updates or that they have patched any fixes that are required to prevent weaknesses in the system.
Shadow IT security checklist
- Categorize shadow IT risks
There is a range of security risks related to shadow IT. Being able to identify these risk areas provides a breakdown of the types of protections you should have in place to secure your network.
Here are some examples of shadow IT security risks you might encounter:
|Phishing||When using unapproved systems, your employees are more likely to be targeted by phishing scams. An example is that your corporate email will have robust spam filters in place. However, if a user carries out work on your network using a personal account, there is a chance they will receive emails that impersonate third parties. This may trick them into entering their work login credentials and allowing bad actors to gain access to your systems.|
|Weak credentials||Whereas your sanctioned internal tools will require multi-factor authorization (MFA), cloud apps and other shadow IT do not necessarily have this stipulation. This creates a vulnerability in your network that could lead to unwanted exposure.|
|Malware||Downloading programs from unapproved sources can lead to malware infecting your network. Employees could attempt to install apps and other software in good faith but from unofficial sources, such as torrent sites. This can then spread throughout your organization.|
|Data security||When using shadow IT tools to deal with company data, you make that data more vulnerable to falling into the wrong hands. For example, keeping order details on a personal Google Sheets document means it is not protected by your corporate IT protocols and, therefore, at risk of being compromised. In addition, if an employee holds data like this and then resigns or is dismissed, they may retain access to or even control over the data. This could be a severe compliance issue.|
|Data policy contravention||When employees store data outside of the company’s systems, it can fall outside of the business data policy’s requirements. If you require it to be encrypted, archived, and backed up, these processes may not occur in line with the methods required by your organization and will, therefore, not be secure.|
- List your applications
Perform an audit to see exactly which cloud software and other shadow IT applications are in use on your system. Only when you completely understand the scale of the issue can you hope to stay in control of it.
You could arrange an amnesty of shadow IT programs, where staff inform you about the unsanctioned software and devices they use. Another option is to use a solution that monitors your network for unauthorized shadow IT.
You then have the choice to remove all of the unsanctioned items, to approve some, or to allow all to remain. This will depend on your risk assessment. Make sure you audit shadow IT usage regularly and compare lists to see which programs and devices have been added in the intervening time. This allows for a more accurate view of the situation.
In addition, look into how users interact with apps, how many times they log in and when they renew. Analyze how this activity changes over time too. Were there many logins initially, and then the activity petered away? If so, you could probably remove this form of shadow IT without issue.
- Identify the unmet need
As a result of these audits, you can analyze the shadow IT used in the organization and gain an understanding of why employees feel the need to stray from the tools that you provide.
The fact is that shadow IT use is rarely a malicious attempt to sabotage the company. The reason why users turn to alternative solutions is that there isn’t (or they are not aware that there is) a suitable authorized program that fits their needs. Usually, there is a sanctioned tool, but it is complicated to use. The shadow IT solution is quicker and more efficient than the internal program or any number of other reasons.
Think about the needs of employees in your business that your solutions are not meeting. Why is that, and what can you do about it? Ask them what would make their lives easier and work towards fulfilling these requirements. Don’t just guess and offer a suite of solutions based on assumptions.
- Update your file-sharing policies
The best way to ensure users understand their obligations with regard to activities such as file sharing is to be explicit and spell it out in a designated policy. Employees might not even be aware of the implications of using shadow IT to collaborate with files. So, they could easily allow access to bad actors or contravene regulations on data protection.
Let users know what is expected of them with your approved procedures and inform them of the sanctions that could be imposed for contravening these conditions. This is essential to ensure your systems remain secure and compliant.
- Secure remote access
The COVID-19 pandemic caught many businesses unprepared. Those that did not offer secure remote access to their networks suddenly had to send employees home. As a result, workers often turned to mixing shadow IT with official solutions in a way that presented security risks.
Working from home is still popular post-coronavirus restrictions and is not showing signs of going away. So, if your employees’ remote access is not secure, any shadow IT that they use could pose security threats. Ensure you address this vulnerability as a matter of urgency.
- Improve end-user device security
No one likes it when their personal devices tell them they need an update. It takes time when they could be working and disrupts their day. Unfortunately, ignoring updates and patches can lead to vulnerabilities in the system that could be exploited by criminals.
Shadow IT complicates this even further, as you won’t have oversight of the status of the users’ own devices. Ensuring employees only access the network using secure devices helps to protect your business from attacks.
How to engage employees in shadow IT prevention
- Prepare a list of approved apps and services that users can access through their work devices. Being able to see what is available and sanctioned by IT makes it more likely that the user will use an approved solution rather than a shadow IT alternative.
- Educate employees on the risks of using shadow IT. They may genuinely not understand how their own solutions could lead to weaknesses in your security protocols. Training on why all users should stick to authorized programs is essential.
- Change the culture within the IT department. Often it is easy to turn down requests straight away and be inflexible. This could simply lead to employees picking their own solutions in defiance. Work with employees, understand their needs, and try to meet them in a way that allows you to monitor and secure the tools they use.
Should you embrace shadow IT?
There is an argument for embracing shadow IT, as it can be difficult to eradicate it without the right tools. However, it is difficult to control people’s usage of unsupported solutions. A better option is to listen to users’ needs and try to serve them with authorized tools.
How often should you do a shadow IT audit?
The frequency of your shadow IT audits depends on the state of shadow IT within your organization. If an audit shows that there is mass usage of shadow solutions, you might want to consider auditing on a more regular basis to keep a close eye on these solutions and the consequences of their usage.
Why is it difficult to secure SaaS and web apps?
SaaS and web apps are not integrated into your systems, so you are relying on their own internal reporting and auditing systems to ensure that they are safe for your organization. The security protocols are often less stringent than you would demand of your internal solutions.
We hope this shadow IT security checklist will help you protect your network against the risks that shadow IT creates for businesses. By working with employees to provide practical solutions to their work needs and educating them on the risks of shadow IT and your approved systems for mitigating those risks, you can prevent many of the consequences of shadow IT.
In addition, keeping an eye on your network to identify unauthorized technology that could cause damage to your business is essential. Vaultry handles this task for you, monitoring all connected devices and alerting you to unsanctioned tools that you can remove before they cause a problem. Get started with Vaultry and reduce the risk of shadow IT.