Even when there is no malicious intent, unsanctioned applications can cause major problems for your agency
By Bryan Johnson, IT Director, Alliant National Title Insurance Company
Have you heard of shadow IT? The term conjures images of masked criminals poking around on your server or installing dangerous devices. Yet shadow IT is usually more mundane, referring to applications installed without IT’s permission. It’s important to remember, though, that just because something is commonplace doesn’t make it safe. Here, Alliant National IT Director Bryan Johnson explains the dangers of shadow IT and how you can combat its use.
The phrase “shadow IT” can sound scary. It evokes images of hackers lurking in some dark corner of your technology stack. Shadow IT, though, is often neither clandestine nor malicious. It merely refers to any piece of software or hardware installed by a user without an IT department’s permission. Quite often, this is done merely to gain greater productivity and involves popular applications like Gmail, VOIP apps like Skype (RIP) or even custom Excel documents. But the absence of ill intent doesn’t mean shadow IT is harmless. It can cause security problems and derail compliance. To avoid this, agencies need to understand the problem of shadow IT and have a game plan to curb its use.
Shadow IT is a growing and serious problem
The data shows that shadow IT has become an increasingly prevalent problem in recent years. For instance, one recent study predicts that by 2027, three in four workers will use technology that IT departments can’t technically “see.”[i]
But it isn’t just a quantitative problem. Shadow IT also poses real qualitative issues. Another recent study took a deep dive into “malicious requests,” which occur when someone, usually a hacker, sends a request to a site, server or device with the intention of doing harm. Nearly 31% of the 16.7 billion malicious requests they observed involved unsecured APIs,[ii] which are a common attack vector that can wreak havoc on an agency’s systems.
If that wasn’t bad enough, the numbers also show that shadow IT users often have a bit of a reckless streak. A Gartner study revealed these users are about twice as likely to take risky actions as their co-workers,[iii] posing significant security risks. And with the average cost of a data breach hovering around $5 million,[iv] that’s something you never want to take lightly.
The problems involved with shadow IT go beyond security too. It can also upend your firm’s compliance. Unauthorized apps and programs often bypass normal security measures, potentially exposing sensitive data. That puts you at greater risk of running afoul of industry best practices and privacy laws, not to mention undercutting audit-readiness and increasing your liability. All in all, it can lead to problems that can be very difficult to recover from.
Putting a plan in place
Now that we can see the scope of the problem and the potential consequences involved, we can move on to the more important question: So, what can we do about it? Here are three strategies I think can be most helpful for stopping shadow IT:
- Knowledge is power: Like a lot of IT issues, one of the best ways to combat this problem is simply to talk to your employees about what shadow IT is and how it can imperil your business. If you’ve built a good team, they will acknowledge the severity of the issue and take action to prevent it.
- Deter don’t punish: Alongside education, take direct action to detect unauthorized applications. Networking monitoring tools, DNS filtering and endpoint security are all invaluable for accomplishing this goal. You can also audit your cloud computing usage for greater visibility. It should be said that this strategy should always be about detecting and deterring—not punishing. As we’ve discussed, shadow IT usage often occurs to help not harm an agency. Always keep that in mind.
- Optimize your IT infrastructure: Perhaps the best way to stop shadow IT usage is via continuous improvement of your existing IT stack. Survey your employees to understand which IT tools are helpful and which aren’t and then implement new solutions to make their workflows simpler. Be sure to review your IT governance policies alongside any improvements you’re making. Reviewing and revising these policies can improve understanding and ensure alignment around acceptable use.
Turn on the light to stop shadow IT
With all the security challenges out there, the last thing you need is to worry about what applications your employees are installing without express permission. Yet shadow IT should never be taken lightly, as it can disrupt your security and compromise important priorities, like compliance. The good news, though, is that shadow IT is rarely malicious. With a bit of education, detection, and optimization, you can shed light on shadow IT and discourage its use.
[i] Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024
[ii] API Protection Report | Cequence
[iii] Shadow IT is increasing and so are the associated security risks | CSO Online
[iv] Cost of a Breach Calculating ROI for Cybersecurity Investments
