Shadow IT: How to Prevent Unauthorized Software
The term shadow IT is often falsely equated with malware. In actuality, it only describes software or hardware that is used without the knowledge of a company’s IT department. Most shadow IT is used without malicious intent. Nevertheless, it poses great risks for companies because it is usually not detected and protected by official security measures.
There are many reasons for the emergence of shadow IT. Often, poor coordination within the company or poor contact between business departments and corporate IT is the trigger. Most often, popular and easy-to-use software (or hardware) becomes shadow IT. This includes private mobile devices or communication apps. Below, we provide some examples of how shadow IT can happen and how you can protect your company against it.
Shadow IT Risk
Shadow IT creates serious risks for companies. Sensitive company data can become vulnerable to attack through unauthorized software. This is a major problem, because it is precisely this data that is targeted by attackers using ransomware. But usability and workflows also suffer from shadow IT when the company's internal organization is infiltrated. In addition, legal aspects play a role.
Problems Caused by Shadow IT
- The use of unauthorized apps opens gateways for attacks.
- Compliance violations are possible, e.g., when services import contacts from a device's address book without asking. If business contacts end up with third parties in this way, this violates both internal compliance rules and data protection laws.
- Data stored in the cloud can be transferred from one end device to another, e.g., using sharing functions native to most providers. This way, sensitive data can end up on unsecured devices, which in turn violates both data protection and compliance guidelines.
This is How Shadow IT is Created: Examples
Shadow IT often refers to software that is installed on devices used for business purposes without the knowledge or approval of a company's central IT department. Such software is thus located outside the approved IT infrastructure. But hardware can also become shadow IT—especially when the boundaries between work and personal devices merge.
A long decision-making and procurement process through official channels is often the reason for using applications and services without proper authorization. The main causes of shadow IT use are poor employee education or poor processes within the organization . Ignorance also encourages the use of services that have nothing to do with the actual work and can also count as shadow IT—for example, apps for streaming music.
Many employees don’t want to give up the use of a familiar software or music streaming at work which they use in private as well.
It’s not the employees who are to blame for the emergence of shadow IT. Sluggish processes and a sluggish IT department enable the use of unauthorized applications —especially when, without them, workflows are disrupted or made significantly more difficult.
Mobile Devices and the Cloud
Specific requirements of individual departments for hardware and software also promote the emergence of shadow IT. For example, many departments use cloud storage services to make sharing and editing files within the team particularly easy and efficient.
Unauthorized mobile devices also pose a threat: These range from mobile flash drives such as USB sticks for data transfer to private smartphones or tablets used to access the corporate network. Popularly used online services for email, video telephony or instant messaging, such as Gmail, Skype and WhatsApp, also count as shadow IT if they are used without permission to exchange work-related content.
Many companies offer the private use of work devices—in other words, bringing of private devices for company use—as a “benefit”. In this case, special caution is required because private applications can become a gateway into corporate IT.
SaaS Chaos in the Enterprise
The rapid availability of various applications from the cloud (so-called “Software-as-a-Service” or SaaS) presents new hurdles for IT departments. Especially the emergence of shadow IT through unauthorized use of these services must be prevented. In addition , there is also great danger of losing track of authorized applications. Individual accounts, often managed by departments themselves, and services that are not centrally known push boundaries between official corporate and shadow IT.
Cloud providers make their services quick and convenient. This makes it easy to meet individual requirements of different departments. Nevertheless, you should make sure that the SaaS services used are suitable for enterprise use during implementation.
For example, a connection to the company’s central single sign-on (SSO) and account capture make onboarding and offboarding easier.
Here’s How to Reduce Your Risk for Shadow IT
One way to reduce the risk from shadow IT is to ban any unauthorized software or hardware. Selectively restricting various services through blocking or limited installation rights can also mitigate the risk. However, this approach would mean significant additional work for the IT department and can also cause resentment within the team.
IT security budgets are better spent on endpoint security or controlled network hardware. In most cases, it is most effective to simply not treat the topic of shadow IT as a taboo. Instead, employees’ awareness needs to be raised, and their needs must be understood and taken seriously. The best path to success is to establish a straightforward process for bringing necessary or desired software and services into the official IT infrastructure.
This approach takes significant burden off the IT department. It harnesses the innovation potential of shadow IT by identifying new, suitable applications and bringing them into the company’s own IT in a controlled manner. Thus, it promotes both employee satisfaction and efficiency in the use of software and hardware in the enterprise.
Protect Your Enterprise Cloud
One of the most critical attack targets in enterprises is data organized on local storage or in NAS structures. Accordingly, shadow IT often poses a particular threat to this local data. Their outsourcing and backup in external cloud storage therefore makes sense for companies in many cases, but requires additional security measures—especially if sensitive data or data requiring special protection is located in the cloud.
The outsourced data must be continuously protected against unauthorized access both on the way to the cloud as well as on site in the provider’s data center. If the cloud is used as shadow IT without appropriate authorization and protection, there is a particularly high risk. Unfortunately, this unofficial use of the cloud is still widespread.
If your employees prefer the cloud for data storage, you should listen to their suggestion. Many benefits of cloud storage today favor efficient and cost-effective teamwork. A proactive cloud strategy—including appropriate safeguards—not only helps save money, but also prevents unsafe use “in the shadows”.
An excellent solution for more data security in the cloud is end-to-end encryption, such as Boxcryptor. Access to sensitive information is protected by strong encryption algorithms, while teamwork remains unchanged and easy: secure and easy sharing and editing of data and files—seamlessly integrated into your existing infrastructure, file, and user management.
Using Boxcryptor helps organizations reduce risk in the cloud. Sensitive data remains secure, users can work as usual with OneDrive, Microsoft Teams & Co., the IT department is relieved and even compliance regulations are reliably adhered to. Having to use cloud storage services as part of shadow IT is thus a thing of the past.