Shadow IT: If it really exists and if you need to worry about it

Author: James TerHark Posted In: Strategy

Shadow IT. Is this a new phenomena or something that’s been around for some time? Read on to find out what it’s all about and if you need to take action.

What is Shadow IT?

“Shadow IT”, “Stealth IT” or “Rogue IT” – these are terms often used to describe information-technology systems and solutions built and used inside organizations without IT’s general knowledge. These terms are used to describe hardware or software deployed by departments that do not conform to security guidelines or the company’s IT strategy, and often times without IT’s knowledge.

Hardware can be in the form of USB flash drives, portable storage drives or unapproved BYOD personal devices such as smart phones, tablets or laptops. Software can be in the form of locally installed applications or cloud-based applications. This can also include software written in-house without IT’s knowledge or approval. Downloaded apps/utility software and Excel macros are some examples of locally installed software. However, more common in today’s environments are cloud-based apps (SAAS) such as document sharing services like Google Docs and Dropbox. Online messaging apps such as MSN Messenger, Facebook, Instagram or Yahoo Instant messenger. Web-based email systems that allow file transfers such as Yahoo and Gmail.

Does it really exist?

Yes, it does exist, and it is growing and becoming more prevalent. A OneLogin study showed that 71 percent of employees are using apps not sanctioned by IT. A study by EMC indicates the data loss and down time associated to Shadow IT at a cost of $1.7 trillion per year. Losses can be attributed to data loss and leaks, wasted investment in non-approved software that does not perform correctly, incompatible systems that cannot communicate with each other, wasted time by end users trying to get non-approved software to work and wasted time by IT staff dealing with issues related to non-approved software.

A growing area of concern is the proliferation of smart phones. Almost everyone has one. Users can download thousands of unvetted applications — apps that could contain malicious code and compromise the device. Hackers can then steal data from the device. The threat to corporations is that many users keep userid’s, passwords, links and other sensitive company data on their smartphones in non-secure apps like Contacts or Notes. The other threat is if the employee loses their smartphone. Since a smartphone is a convenient place to store login ID’s and their phone is always with them, end users will continue to do this. Companies should identify a verified secure password storage app that encrypts its data or stores it securely in the cloud and not on the device. An example would be an app called SecureSafe. Select an app that meets your security requirements then encourage all users to use the app.

What about IT, are they guilty too?

IT has much more access than end users do. If end users are doing this, most likely  IT is doing it too. Ex: They have a problem to solve and there is a utility out there on the internet that they could download to solve it. Or maybe they are developing something for the cloud and using their personal cloud subscription for testing. Perhaps they have shared some program files or test data on Dropbox with another developer. The answer to this would be Yes, IT is guilty of Shadow IT as well. It can be argued that IT personnel have a better understanding of vulnerabilities and would be more knowledgeable of what they are downloading. However, rules and standards need to apply to everyone within an organization, and IT personnel can get hacked like anyone else.

Do you need to worry about Shadow IT?

Yes, you should be worried. Shadow IT puts your company at risk. It will cost your company in one way or another, and it could cost you big – a large data breach for example or a Ransomware attack. Companies should have Shadow IT on their radar and be taking steps to eliminate it. Currently most companies are not addressing Shadow IT. It should be included as a one of the threats in your current security efforts and be budgeted accordingly.