Shadow IT Eclipse: Shedding Light on Unseen Risks and Solutions

Written By Karen Mesoznik

Don't get blindsided by shadow IT! In honor of this year’s eclipse, we’re examining the dark side of shadow IT and sharing tips on how security leaders can proactively minimize its risks and ensure safety within the organization.

What is Shadow IT?

Shadow IT is when an employee uses technology tools that are not approved by the IT department and without their knowledge. When departments choose to bypass IT and use applications that are not approved, the department is considered to be using shadow IT. Shadow IT, though dangerous for cybersecurity, is also often integral to the productivity of departments, but being aware of IT operations is crucial for compliance with regulations. 

Shadow IT comes with many challenges and risks to cybersecurity. The use of third-party products without proper security measures in place is dangerous and yet impossible for CISOs to protect against because they can't protect what they are not aware of. While this is a real struggle, the reasons for the existence of Shadow IT are valid. Digital transformations and unmet technology needs cause employees to want to adapt and expand on their own. If relevant technological tools are not part of the approved tools or services a Shadow IT is likely to emerge. With shadow IT comes a lack of awareness and supervision. In the event that the apps that are being used without permission are breached, the CISO would not be aware that the organization is at risk.

How to Handle Shadow IT

Monitor Inventory

The inventory of approved technology tools is not static. It is like the cybersecurity space: ever-evolving and in need of constant monitoring. It's important to periodically assess the apps’ risk level and add new apps to keep the inventory up to-date and contemporary/relevant. When assessing the inventory, consider which apps have become redundant or unreasonable. Also, see if there are any gaps. Comparing the inventory with results from network discovery tools can help with this. 

Rank Inventory

Some tools have more access than others. Some have more use cases or risks attached. When a CISO is ranking the inventory they are creating a priorities list. The priorities would be the apps with the most access to information with high sensitivity, use cases that are integral to business function, and associated risks that are most impactful. CISOs can make these priorities safer and more highly monitored than other apps which will help prevent intense risks and save the team from being overwhelmed.

Investigate Constantly

Track network firewall activity, intrusion detection, and intrusion prevention systems, to gain a picture of the network traffic and identify anomalies. Additionally, CISOs can detect unknown IP addresses with network sniffing programs. To go the extra mile, consider running penetration tests. At the data center, CISOs can employ surveillance equipment and review access logs to look for evidence of shadow IT.

Have a Polished Process

If the process for requesting and adding new apps is tiring, unspecified, or obscure, some people may look for ways to avoid it and stumble into shadow IT. Make sure the process is polished and guided so that employees feel welcome and encouraged to request apps.

Empower with Education

Especially with Hybrid employees, it's important to give them the information they need to be compliant and avoid risk. With more information, they will feel more confident with their cybersecurity awareness and comfortable with sharing ideas for innovative uses of tools with the IT department. Training can encourage employees to not use shadow IT by explaining what it is and its repercussions.

Inform Senior Management

Use metrics to track employee training and awareness so there is accurate and objective data to report. It's important to have support from senior management so keeping them updated about the shadow IT status should be a part of regular meeting agendas. Updating includes review and approvals for new policies and changes to old policies.

Conclusion

For devices that are known, CISOs can use technology to analyze their coverage, but CISOs should assume that shadow IT is in use and prepare for it. Being proactive can minimize risks and ensure safety within the organization.

Karen Mesoznik
Previous

Tactics and Metrics CISOs Can Use To Drive and Measure Cyber Security-Aware Behaviors Throughout Their Organization
Next

Three Ways (Not) to Manage and Report on Your Cybersecurity Program