Posted on Nov 2, 2015
The shadow information technology (IT) services provided by unknown third-party vendors introduce multiple risks. Any time data is moved to a vendor or accessed outside the corporate network by a third- or fourth-party, the risk of loss increases.
Companies have, in one sense, lost control of IT. A Forbes article reported that 40% of IT spending is not directed by IT anymore. This loss of control is not only a budget problem; It is one of strategic vendor risk management and of data security.
The scope of third party services used in shadow IT is broad. Shadow IT includes:
A history of being told ‘no’ by security professionals is partly responsible for the rise of rouge or ‘shadow’ technology implementations. Balancing business needs with security is never an easy negotiation, but a complete lack of IT security staff involvement is also not the path to success. Risk-based approaches are needed to balance business requirements against the impact of data loss.
The first step in managing third party vendor risk is to perform due diligence before signing contracts with the vendor. Due diligence, however, takes time. Departments like Human Resources, Sales, Marketing, and many others, take advantage of shadow IT because it is quick, easy to purchase, and deploy. Many times there are not traditional contracts, just terms of service agreements online that users click through without reading.
Symantec reported in 2013 that 40% of companies with shadow cloud deployments had confidential data exposed. Here’s how: The third party vendor may be:
Even when cloud providers are approved, ensuring compliance with corporate policies is difficult, but at least they can be audited. There are no audits of unapproved third party vendors. They may or may not:
If there is a lawsuit, data that resides on shadow IT servers may be outside the scope of e-discovery.
Using shadow IT introduces threats to business continuity, because there may not be any provision to recover data if the third party vendor ceases operations. Backups may not be taken or stored according to standards. The lack of service-level agreements (SLA) to guarantee uptime and availability can have an impact on routine operations.
Change control issues also affect continuity; integration and compatibility of corporate applications with versions used by the third party vendor is not assured. Because IT doesn't know about the shadow IT providers, these vendors can't be included in annual disaster recovery tests.
The only way to manage the risks of shadow IT is to bring it out of the shadows. Because you cannot perform vendor risk management if you do not know who your vendors are, the first step is to identify the shadow IT services being used by all departments. Tools help monitor the network to identify new connected devices. Firewall and other log files can help identify the cloud services being used. New and innovative technologies like SecurityScorecard allow IT security staff or vendor risk managers to quickly receive an outside-in perspective on the security risk of any company.
Tip for SecurityScorecard Customers: Type in a website address into the platform to perform an instant security audit and retrieve detailed security-risk information, without intruding on a vendor’s system.
Once you've identified the shadow IT vendors, it's important to speak with the business organizations to understand the business need using that service. Evaluate the risk of using the service, and either approve it or work with the department to select an approved alternative to safely migrate to the new vendor. Because the list of shadow IT vendors is likely to be long, identify the data at highest risk and prioritize regaining control of it first.
After these steps are complete, there should not be any shadow IT providers. But that will only be temporary; You will need to continue monitoring usage, and work with departments to meet their computing needs in an approved way. Organizations should:
Despite the dangers shadow IT introduces, in one sense companies should be grateful for it. Shadow IT exists because employees want to do the right thing—they want the work to get their work done, and need technologies that speed up manual processes, enable easy collaboration, or simply make work easier and less expensive. Companies face a much bigger challenge if their employees do not care enough to break the rules to make it happen.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.