Posted on Aug 23, 2021
Everything connected to your network poses a security risk. Every application on every device poses a threat to that device which then increases your security risk profile. Ultimately, organizations need visibility into all users, applications, and devices on their networks. Whether arising from employees using personal devices or downloading applications to corporate devices, shadow IT is becoming a bigger problem for organizations. To enhance your security posture, you need to understand what shadow IT is, the risks it creates, and how to mitigate those risks.
Shadow IT is broadly defined as any information technology systems, devices, applications, and services outside traditional IT department procurement processes and approval. As more employees use personal devices and organizations adopt cloud-based applications, shadow IT risk increases.
Examples of shadow IT include:
While “bring your own device” (BYOD) policies offer some level of protection, remote work changes a company’s ability to control the devices employees use to do their jobs. Additionally, even for organizations whose employees use corporate devices only, managing the applications that they install on devices or access on the internet becomes increasingly difficult.
The move to remote work increased employee need for video conferencing, collaboration, messaging, and file-sharing solutions. Employees may use shadow IT as a way to streamline work processes or work with external stakeholders.
For example, a member of the sales team is meeting with a prospect. The prospect prefers Zoom, even though your organization uses WebEx. The sales team member may download Zoom to connect with the prospect.
As part of your security and compliance programs, you need to incorporate shadow IT risks into your risk assessment process. By understanding and mitigating these risks, organizations can enhance their overall security.
Unknown devices connecting to your network and employees using business emails for web-based applications increase your security risk. You can’t mitigate risks if you have no visibility into what those risks are.
Every device connecting to your network, especially IoT devices, means another access point that threat actors can exploit. For example, research published in 2019 found more than 120,000 Internet-scale exploited IoT devices and inferred 140 large-scale IoT-centric probing campaigns. In other words, threat actors scan networks looking for IoT devices that can act as a gateway or give insight into network security.
Every account that an employee creates using their business email address increases your organization’s security exposure. For example, suppose an employee uses their business email as the login credentials for your enterprise resource planning (ERP) solution and a messaging application. In that case, they might be using the same password for both. A threat actor who leverages a vulnerability in the messaging application can now try to use those same credentials to gain access to the ERP platform.
Shadow IT increases the likelihood that your data will end up outside of your control. For example, an employee who has access to a shared drive might download a document to their device. Then, they might re-upload it to their personal cloud storage service. Every time that data moves, it “leaks” out of your systems. If the device is stolen or the personal shared drive experiences a data breach, your organization’s data is compromised.
From both the privacy and security perspectives, shadow IT increases compliance risks. First, when the organization loses control over the data, it fails to govern security appropriately. Just like you can’t mitigate the risks you don’t know you have, you also can’t prove governance over your security program when you can’t locate the new attack vectors.
Second, if you can’t prove governance over who accesses data, you can’t prove that you keep data private. For example, if you need to meet General Data Protection Regulation (GDPR) privacy requirements, you need to know where a data subject’s data resides to delete it upon request. If your employees store data on an application outside of your control or share it through a messaging application, you might not be able to comply with the data subject’s request fully.
Although managing shadow IT risk sounds overwhelming, you can take several steps to mitigate risk while enhancing your compliance posture.
The first step to reducing shadow IT is to scan your environment and network regularly. Detecting and identifying new devices that connect to your network gives you additional visibility into network security risks.
To ensure that only the right users and devices connect to your network, you need to enforce your identity and access policies. This process should include multi-factor authentication and requiring device authentication when they connect to the network.
To reduce the risk unknown applications create, start by creating “deny all” network access controls. Then, you can go back and allow the applications you trust. This will limit employees’ ability to use untrusted applications when connected to your corporate network.
Effective cyber awareness training should incorporate shadow IT risks. While most employee awareness programs focus on phishing and social engineering, many fail to educate end-users about shadow IT risks.
As part of your compliance process, you should ensure that you document all activities around managing shadow IT. This includes documentation showing:
SecurityScorecard’s security ratings platform provides easy-to-read A-F ratings that provide quick visibility into your security postures. SecurityScorecard Sentinel, our scanning engine, identifies and detects all devices, including IoT devices, across your network. With the ability to detect these traditionally hard-to-manage IT risks, you can enhance your security and compliance posture.
SecurityScorecard’s security ratings platform provides alerts that help IT and security teams prioritize remediation activities to mature your security program. Our alerts also include actionable remediation steps so that your teams can more rapidly mitigate risk.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.