Network Security: Shadow IT Risk and Prevention

Contrary to many opinions discovered online, shadow IT (a.k.a. rogue or stealth IT) is not down to the IT team saying no or refusing to provide required productivity tools necessary for a specific job role. In truth, it is often down to restrictive budgets and senior management decisions on same. Speaking as an IT pro, we do not care what software users need and would happily supply it if the budget is available and the software need is indicated. WE are not responsible for users installing unauthorised software, using unapproved cloud services or adding their own hardware such as memory sticks and external drives to company systems. BUT, as always, we are expected to assume the responsibility and the blame for such practices.

What are the risks of Shadow IT? How can they be reduced?

As Przemysław Jarmużek, systems administrator & support expert at SMSEagle was quick to point out: “The level of risk will depend on the type of Shadow IT and the motives of the user involved” with common dangers including but not limited to the following:

BYOD

The rise of BYOD in the workplace has tied IT’s hands in cases where IT do not have control of the device. Device owners are free to install whatever they wish on their own device and rightly so. In an ideal world, the device would mobile device management (MDM) to segregate work and personal use by using a virtual partition. This work ‘partition’ could be managed remotely and the partition could be erased or deleted if the device is lost or stolen or if the employee leaves the company.

Consumerisation of Software

Anyone with a credit card can purchase a cloud service or online subscription to a wide array of software and collaboration tools. Many are free and only need an internet browser to access. This is an obvious problem when trying to control the flow of company data, making it almost impossible to track the impact of a data breach. These unauthorised activities could also have an impact on compliance requirements, especially in relation to data protection and requirements for storage of personally identifiable information (PII). The risk of intellectual property loss also increases if third party service providers are breached by hackers.

Licensing

Users installing licensed software from home is also a danger. Note that this activity is sometime used by malicious employees seeking financial gain. They install illegal software on company systems and then send a ‘tip’ to organisations responsible for copyright theft to obtain a percentage of the high financial penalties levied. This point is demonstrated accurately in a TechCrunch article: Software piracy claims can ruin your business and reward those responsible. An old article but all the points raised are still valid today.

Productivity Aims

Many users install or use unauthorised software and tools to improve productivity and lack any malicious intent. They are just unaware of the possible dangers of installing freeware and paid solutions that are not approved or monitored by IT.

Preventing Shadow IT

Radosław Janowski, product manager at SMSEagle said that “IT cannot be expected to have psychic powers and each department head should provide a list of software and tools that they need to fulfill their roles in a productive manner. This will allow IT to supply it and eliminate the requirement for Shadow IT.”

An excellent point. Tell the IT team that you can’t do your job effectively without software X and tool Y. We will listen and respond with updates.

In fact, there are several ways to reduce shadow IT while enforcing the fact that IT are responsible for security on company equipment and on BYOD devices when the owner has signed an agreement allowing remote administration.

  • Admin Access – There is no reason for users outside the IT team to have the ability to install programs. Any and all programs should be installed and managed by IT.
  • Network Inventory Management – IT will regularly monitor hardware and software assets on the network, automatically detecting any additions and reacting accordingly based on potential risk. There are many tools available to accomplish this task and some will aid security patch and update management.
  • Network and port monitoring – to prevent access to unauthorised cloud services.
  • IT will provide a software repository for all approved software and tools. If additions are required by a user or department, it is formally requested.
  • IT will foster an environment of security awareness to include the potential dangers of Shadow IT and ensure that there is an onboarding process for new employees.

However, without senior management support, none of the above will work. Available budgets and claims of IT interfering in all departments no longer hold weight as IT is needed in all departments. IT are responsible for security and if identified security risks are not acted on, then future problems that result from inactivity cannot be blamed on IT. When you consider that a recent Forbes Insights report finds that more than one in five organizations have experienced a cyber event due to an unsanctioned IT resource, is it worth checking if shadow IT is a potential risk in your business? I think so.