• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
     
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Services
    SERVICES NEW
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
     
    • Penetration Testing
      Uncover your vulnerabilities before an attack does.
    • Red Team
      Use scenarios to perform a simulated attack.
    • Tabletop Exercises
      Test your incident response plan & bolster your readiness.

    Under Cyber attack?

    Contact us for immediate support if you believe your organization is the victim of a cyber attack.

    Contact Cyber 911 Team
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
     
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Services
    SERVICES NEW
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
     
    • Penetration Testing
      Uncover your vulnerabilities before an attack does.
    • Red Team
      Use scenarios to perform a simulated attack.
    • Tabletop Exercises
      Test your incident response plan & bolster your readiness.

    Under Cyber attack?

    Contact us for immediate support if you believe your organization is the victim of a cyber attack.

    Contact Cyber 911 Team
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

What is Shadow IT? And How to Manage It

08/23/2021

Everything connected to your network poses a security risk. Every application on every device poses a threat to that device which then increases your security risk profile. Ultimately, organizations need visibility into all users, applications, and devices on their networks. Whether arising from employees using personal devices or downloading applications to corporate devices, shadow IT is becoming a bigger problem for organizations. To enhance your security posture, you need to understand what shadow IT is, the risks it creates, and how to mitigate those risks.

What is shadow IT?

Shadow IT is broadly defined as any information technology systems, devices, applications, and services outside traditional IT department procurement processes and approval. As more employees use personal devices and organizations adopt cloud-based applications, shadow IT risk increases.

Examples of shadow IT include:

  • Productivity applications: Trello, Asana
  • Collaboration or messaging applications: Microsoft Teams, Slack, or Google Chat
  • Physical devices: smartphones, tablets, Internet of Things (IoT) devices
  • Cloud storage or file-sharing services: Google Drive, Dropbox, Box, and OneDrive
  • Video conferencing applications: Zoom, Skype, WebEx, and GoToMeeting
  • Calendar applications: Fantastical, Woven, Calendar.com
  • Appointment booking and scheduling applications: Calendly, ScheduleOnce, Bookafy

While “bring your own device” (BYOD) policies offer some level of protection, remote work changes a company’s ability to control the devices employees use to do their jobs. Additionally, even for organizations whose employees use corporate devices only, managing the applications that they install on devices or access on the internet becomes increasingly difficult.

Why do employees use shadow IT?

The move to remote work increased employee need for video conferencing, collaboration, messaging, and file-sharing solutions. Employees may use shadow IT as a way to streamline work processes or work with external stakeholders.

For example, a member of the sales team is meeting with a prospect. The prospect prefers Zoom, even though your organization uses WebEx. The sales team member may download Zoom to connect with the prospect.

What risk does shadow IT cause?

As part of your security and compliance programs, you need to incorporate shadow IT risks into your risk assessment process. By understanding and mitigating these risks, organizations can enhance their overall security.

Lack of visibility

Unknown devices connecting to your network and employees using business emails for web-based applications increase your security risk. You can’t mitigate risks if you have no visibility into what those risks are.

Network security

Every device connecting to your network, especially IoT devices, means another access point that threat actors can exploit. For example, research published in 2019 found more than 120,000 Internet-scale exploited IoT devices and inferred 140 large-scale IoT-centric probing campaigns. In other words, threat actors scan networks looking for IoT devices that can act as a gateway or give insight into network security.

User access

Every account that an employee creates using their business email address increases your organization’s security exposure. For example, suppose an employee uses their business email as the login credentials for your enterprise resource planning (ERP) solution and a messaging application. In that case, they might be using the same password for both. A threat actor who leverages a vulnerability in the messaging application can now try to use those same credentials to gain access to the ERP platform.

Data loss or leakage

Shadow IT increases the likelihood that your data will end up outside of your control. For example, an employee who has access to a shared drive might download a document to their device. Then, they might re-upload it to their personal cloud storage service. Every time that data moves, it “leaks” out of your systems. If the device is stolen or the personal shared drive experiences a data breach, your organization’s data is compromised.

Compliance

From both the privacy and security perspectives, shadow IT increases compliance risks. First, when the organization loses control over the data, it fails to govern security appropriately. Just like you can’t mitigate the risks you don’t know you have, you also can’t prove governance over your security program when you can’t locate the new attack vectors.

Second, if you can’t prove governance over who accesses data, you can’t prove that you keep data private. For example, if you need to meet General Data Protection Regulation (GDPR) privacy requirements, you need to know where a data subject’s data resides to delete it upon request. If your employees store data on an application outside of your control or share it through a messaging application, you might not be able to comply with the data subject’s request fully.

How to reduce shadow IT risk

Although managing shadow IT risk sounds overwhelming, you can take several steps to mitigate risk while enhancing your compliance posture.

Scan your environment

The first step to reducing shadow IT is to scan your environment and network regularly. Detecting and identifying new devices that connect to your network gives you additional visibility into network security risks.

Enforce identity and access controls

To ensure that only the right users and devices connect to your network, you need to enforce your identity and access policies. This process should include multi-factor authentication and requiring device authentication when they connect to the network.

Set “deny all” network access controls

To reduce the risk unknown applications create, start by creating “deny all” network access controls. Then, you can go back and allow the applications you trust. This will limit employees’ ability to use untrusted applications when connected to your corporate network.

Train employees to be cyber aware

Effective cyber awareness training should incorporate shadow IT risks. While most employee awareness programs focus on phishing and social engineering, many fail to educate end-users about shadow IT risks.

Create an audit trail

As part of your compliance process, you should ensure that you document all activities around managing shadow IT. This includes documentation showing:

  • Network scanning
  • Vulnerability monitoring
  • Access certifications
  • Employee scores on training modules

SecurityScorecard: Continuous monitoring and risk mitigation

SecurityScorecard’s security ratings platform provides easy-to-read A-F ratings that provide quick visibility into your security postures. SecurityScorecard Sentinel, our scanning engine, identifies and detects all devices, including IoT devices, across your network. With the ability to detect these traditionally hard-to-manage IT risks, you can enhance your security and compliance posture.

SecurityScorecard’s security ratings platform provides alerts that help IT and security teams prioritize remediation activities to mature your security program. Our alerts also include actionable remediation steps so that your teams can more rapidly mitigate risk.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube