The ongoing Covid-19 pandemic outbreak has compelled the enterprises to adopt a series of unprecedented changes. Concerning employee’s health, the enterprises across sizes have primarily switched to work-from-home (WFH) practices. The noticeable changes are coercing the businesses to rapidly adopt new digital tools and Cloud-based services to outshine the ongoing crisis and get an edge over competitors.
The ongoing pandemic has also forced the enterprises to embrace the Bring Your Own Device (BYOD) policy. Thus, allowing many of its employees, consultants, and third-party service providers to access the enterprise services and data remotely via their personal home computers, iPad, or smartphones. The new working environment has also forced employees to log into the enterprise sites remotely, access sensitive data, and utilise various Software-as-a-Service (SaaS) tools.
Though such policies seem pertinent during the period, it creates numerous challenges for the information security teams regarding the increasing Shadow IT practices.
What is Shadow IT?
Though Shadow IT is still mostly unfamiliar, many employees practice it every day for myriad reasons and help it become a phenomenon. In easy words, Shadow IT involves devices, services, and other solutions used by individuals or groups of employees inside the organizational ecosystem without the necessary approval from the concerned IT or IS department.
The Shadow IT practices gain popularity in an organisation primarily for dodging the stodgy IT department to get the job done on time while undermining the security concerns. Interestingly, many employees practice Shadow IT with good intent, and it boosts productivity. But on the other side, it can also invite a severe threat to enterprise data security.
The hidden risk factors in the Shadow IT are helping it up and running in most of the enterprises around the globe.
Shadow IT and Covid-19 Pandemic
The prevalence of Shadow IT has become ubiquitous, especially during the Covid-19 days. The enterprises, not enough prepared to offer the necessary platforms for work and integration, Shadow IT is bound to happen, especially on the small and medium scale businesses. Employees nowadays use many SaaS apps and personal devices with undeceiving intentions. The usefulness and ease of such platforms and devices help them reach their target goals. However, many of such apps and devices also make them fall prey.
For instance, an employee could download a video converter, image editor, or any other useful-looking app on an enterprise device. Such an unsanctioned app could bring in any security risk which the employees are completely unaware of.
A group of employees using a Cloud-based team management service for tracking the team activity without informing the CSO could be identified as Shadow IT practices. On a similar note, employees using third-party Cloud-based file-transfer services for sharing files without necessary approval also comes under Shadow IT.
Such unknown resources could lead to a data breach, malware attack, or accidental shutdown of the entire network.
Shadow IT could also happen in an enterprise is because of-
- Countless enterprises haven’t offered any necessary training to their Work-From-Home (WFH) forces to detect the security risks and stay away from such looming threats.
- Enterprises, especially the small and medium businesses, are still dependant on freely available third-party apps for video conferencing. More importantly, such enterprises haven’t introduced any security policy regarding video conferencing apps or managing their Personally Identifiable Information (PII).
- Employees working from home without adequate knowledge concerning cyber hygiene often use similar passwords or reuse their old passwords for business applications or accounts. These unsafe practices could lead to a horror story that the company isn’t prepared to encounter.
- Numerous enterprise employees access sensitive enterprise data via personal devices. Ironically they also use the same device for their leisure or accessing social media accounts. Any social engineering attack could quickly accommodate a perpetrator to get into the enterprise network.
- Many enterprises haven’t offered any essential security software to the employees, which could safeguard their devices.
Shadow IT instances
Modern Shadow IT application and hardware doesn’t leave any footprint on the enterprise network, which makes it difficult to track or measure the risk levels associated with it. The popularity of software-as-a-service (SaaS) has also helped the problem manifold to a different extent. However, the most commonly practised Shadow IT services identified as Cloud Solutions such as file transfer and storage, Office Macros, PDF tools, Business Intelligence (BI) systems, websites, ERP solutions, Shadow IT projects, and hardware.
A few latest Shadow IT examples could be productivity or team management apps such as Asana, Trello, Podio, and ClickUp, communication, and third-party cloud storage such as DropBox, Box, and personally owned Google Drive. Installing messaging or social apps such as WhatsApp, Instagram, VOIP apps, Skype, or connecting personal physical drives on corporate devices are also shadow IT practices.
Impact on the Enterprises
The Shadow IT process makes the job easy for the threat actors to execute a malicious attack or a data breach. By practising Shadow IT, the employees or third-party contributors could help them doing it knowingly or unknowingly. Users sometimes download malware riddled apps, grants critical system authorisation to many SaaS applications, or store/share data via external cloud services without consent. Using non-sanctioned devices could also introduce vulnerabilities to the enterprise infrastructure and are extremely difficult to find. Any such execution could leverage a massive data breach or malware attack, which could hook the targeted enterprise for millions in recovery costs.
The most common risks shadow IT could introduce to an enterprise as follows:
- Unauthorised software and hardware in a network could threaten the Software Asset Management (SAM) policy of an enterprise. And it could lead to losing track of all the existing software and corresponding licensing information.
- With the introduction of new regulation policies such as the General Data Protection Regulation (GDPR), enterprises in many countries are compelled to adhere to a periodic infrastructure audit. Shadow IT practices make the process extremely difficult to follow.
- Shadow IT applications, services, and hardware also challenge the existing configuration management database (CMDB) of an enterprise.
Solutions to sway away Shadow IT
- The concerned IT or IS department should immediately start tracking the network and email traffic of the popular collaboration platforms. For instance, a company using Office 365 suite could look for data sharing platforms like Dropbox, communication tools such as Slack, or Cloud storage like Box.
- The IT or IS team should also inform its employees concerning the Shadow IT threats and get in touch with the CXOs to meet the demands of any working group. The team should also look into the practices of Shadow IT users and their data storing and sharing habits. They should address the pressing concern and avail safer substitutes to meet their demands.
- The Enterprises should also spread the necessary cybersecurity education to its remotely working employees regarding SaaS applications and video conferencing platforms.
- Companies should embrace an appropriate endpoint protection cybersecurity suite such as K7 Enterprise Security Solution and employ it on all their remotely working employee’s devices.
- The K7 Enterprise Security suite for Cloud comes with cloud console, remote deployment, enterprise-class malware protection, expert support, and many more.
Join the upcoming K7 Computing webinar to learn how to reconcile Shadow IT related problems.
Topic: Combatting Shadow IT in the Enterprise Segment
Date& Time: September 30, 2020 | 11.30 AM – 12:30 PM
Speaker: Mr Vittal Raj R, Director, Pristine Consulting Private Limited & Former International Vice President, ISACA
Webinar discussion points:
Introduction to Shadow IT – Organisational Risk vs Agility
Real-world examples of how Shadow IT can impact an organisation
Risk Mitigation steps for Enterprise IT teams
Risk Mitigation steps for End Users
Recovering from a cyber-incident caused by Shadow IT