Many organizations have moved hastily to transition their workforces during the COVID-19 pandemic so they can work remotely, implementing new tools and systems sometimes on the fly.
And without the luxury of time and planning, this means organizations often have to bypass typical IT department processes.
IT teams must now figure out how to protect assets and data
from exponential cybersecurity risks. One of those increased risks involves shadow IT. Employees are fast adopting new cloud applications and using personal devices while working from home
. Many of these apps and devices have poor security controls.
Couple that with other increased risks—like large-scale use of unsecured home connections and remote access technology—and shadow IT could spell disaster for your business.
What Is Shadow IT and Who Uses It?
Shadow IT refers to any information technology that is implemented or used without the knowledge and oversight of the IT department.
Much of shadow IT consists of cloud-based consumer apps. According to McAfee's 2019 Cloud Adoption and Risk Report
, the average organization uses more than 1,900 unique cloud services (a 15% increase from previous year). Yet, most organizations believe they only use around 30.
A recent survey
by 1Password found that 63.5% of more than 2,000 employees surveyed created at least one user account in the past 12 months that their IT department didn't know about.
That survey was conducted before work-from-home became the universal new normal—the surveyed employees worked in an office. Since then, the scale of remote work has grown exponentially, and shadow IT has become an even bigger concern.
Examples of Shadow IT
Software, hardware, and cloud-based services all fall under shadow IT.
- Cloud-based collaboration and file-sharing applications, such as Dropbox and Google Drive.
- Devices such as laptops and mobile phones.
- Third-party apps that use OAuth tokens (using credentials from a corporate app like Office 365).
- Infrastructure-as-a-service (IaaS) and platforms-as-a-service (PaaS), such as a software-development project built on Azure or AWS without IT's knowledge.
Why Employees Use Shadow IT
When employees download unauthorized apps or access corporate data from an unapproved device, they don't do it out of malice.
Typically, employees simply want to be more productive or innovative. They also may be unaware about company policies regarding information technology and not realize that they’re straying outside company guidelines and IT best practices.
Is All Shadow IT Bad?
Not all shadow IT is inherently risky. Even apps with weak security may pose no danger as long as employees don't use them to share sensitive information.
What makes shadow IT a high risk to your organization is your lack of visibility and control.
Without the ability to govern the use of technologies, you can't:
- Ensure employees follow your organization's best practices for data privacy and security.
- Maintain compliance with various regulations that your organization is subject to follow.
- Scan and patch the software and hardware for vulnerabilities.
The COVID-19 pandemic makes the lack of IT oversight an even bigger problem because everyone is connecting to your network and data from home.
A Check Point survey
of 400 IT security respondents conducted since the virus outbreak found that nearly half think shadow IT poses a major problem. And 95% say they face new pressures due to the work-from-home (WFH) environment.
How to Manage Your Shadow IT
To minimize your risks from shadow IT, we recommend the following steps:
1) Educate Your Workforce
Training your workforce about your organization's policies and procedures will help you better enforce your cybersecurity and data privacy practices. By creating a security culture, you can also educate employees about the critical role they play in maintaining strong security.
Awareness should also focus on the increased risks of working from home. To minimize the use of shadow IT, provide employees with a checklist of best practices and security requirements for their WFH technology.
2) Monitor your network
Monitoring your network 24x7 gives you needed visibility into your environment. Use traffic logs to identify which applications are running and which users run those applications.
Network monitoring helps you:
- Discover assets in your environment.
- Identify anomalies in user behavior and network traffic patterns.
- Improve your efforts to adopt only IT-sanctioned, secure solutions.
- Quickly identify and respond to threats.
In addition to monitoring your network around the clock, consider blacklisting unsecured devices, software, and services.
3) Conduct Security Assessments
Conducting security assessments via vulnerability scanning is one of the most-effective strategies for mitigating the risks of shadow IT.
Like network monitoring, vulnerability scanning provides visibility into your environment. But it also goes one step further to help you prioritize your risks.
By identifying vulnerabilities, you can ensure that systems are configured properly and that critical security patches are applied in timely fashion.
4) Use a Zero-Trust Approach
A zero-trust policy requires your users to authenticate their access before they can connect to sensitive areas of the network or critical applications.
With more employees working from home, and many using personal devices, a zero-trust security model will help ensure only authorized users can gain access to company resources.
Additionally, implement multifactor authentication whenever possible. Relying on passwords alone is particularly dangerous when most of your workforce is accessing your network and data from home.
With your workforce settled into new remote-work routines, now is a good time to conduct a risk assessment and start prioritizing vulnerability management.
Even when employees return back to the workplace, they may continue some of their new work habits and access your network and data from home. That means your shadow IT problem won't go away.
If you're not sure where to start or don't have the in-house resources to conduct a risk assessment, Arctic Wolf can help. With our turnkey managed vulnerabilities solution
, you can get started immediately and gain control over issues created by shadow IT.