What is shadow IT?
Shadow IT typically happens for the best of reasons.
Perhaps one of your employees downloaded a trial, or a free version of software, to see if it would work in their department, or because they wanted to improve their own performance (perhaps a productivity app, or a grammar-checker). Sometimes, after investigating a software package, it isn’t uninstalled—it’s very easy to move on and try the next one.
Maybe they set up an account with an online data storage provider (such as Google Drive) to make it easy to share information with a colleague, or with a messaging platform (such as Slack) for work-related communication. Or they use their own device to get a task completed quickly.
Perhaps one department buys and deploys software for their internal use, while another department has selected a different product that does a similar thing: one uses Trello, and another Asana.
This is shadow IT—software (or devices) being used by someone within a business without explicit approval from IT. It could be a software application, hardware (including IoT devices), cloud services or employees’ personal devices.
This is a problem because it means that the business has lost track of what software they are using, and for what. The consequences could include:
- Reduced efficiency and collaboration, if people are using different formats.
- Extra costs (multiple licenses and no bulk discounts—even sometimes ongoing payments for something that is no longer used).
- Additional security risk.
What are the security risks with shadow IT?
Shadow IT brings both risk and benefit. Some of the possible security risks with shadow IT are:
- Customer data may be stored within an undocumented application or device that is not secured, with a risk of data leakage or theft.
- That data might not be backed up anywhere else, risking data loss.
- The application (or device) may not be adequately secured when initially installed.
- Software may not be regularly updated with security patches (particularly if downloaded and then abandoned).
- Software may contain malware.
- Third parties supplying or maintaining the shadow IT may have access to critical data.
- Someone might use personal credentials to set something up, for speed—thereby blending work and personal credentials.
- The shadow application, even if only intended for local use, might become integrated into the technical environment, extending the security risk to the rest of the environment. It’s very easy to connect two apps, whether intentionally or not.
There are potential benefits, though, of allowing your staff to find the tools they want to use:
- Free, or low-cost, services can reduce cost to the business.
- Selection of intuitive applications can improve communication and collaboration.
- Identification of a better tool for the job.
- Efficiency can go up with faster access to resources (no waiting for approval and admin processes).
What to do about shadow IT?
Shadow IT is very likely to appear within any business involving more than one person. And even if you are a sole trader, you can easily end up with unused software and devices.
To reduce the security risk, we recommend:
- Regular audits of what is in place. If you have the budget and the manpower, there are tools available to identify and track devices and applications, but you can do this manually. See our recent post on asset inventories
- Don’t forget to review budgets and purchases, as this might reveal shadow IT (historic and planned).
- Training for all employees on the reasons behind your policy requiring IT approval of software. If people understand why it matters, they are more likely to follow the policy.
- No policy yet? Put one in place, covering both shadow IT and BYOD (bring your own device).
- If you find shadow IT, ask why your staff are selecting software for themselves—what is it that they need that isn’t being provided? Do they need training in the authorised software?
- If possible, speed up the approval process for new software—and consider integrating (and securing) the shadow IT you’ve unearthed, if that turns out to be the best tool for the job your staff are doing.
Need more information and advice on this, or any other cyber security issue? Contact the Click and Protect team on 0113 733 6230, or contact us via our website form here.