Shadow IT—Should Your Organization Worry?

October 17, 2019

In today's collaborative, mobile world, employees are constantly looking for new and better ways to get their work done.

Whether it's checking email on personal devices or sharing files via cloud-based apps, they're bypassing IT-sanctioned technology and adopting their own solutions. Unfortunately, this so-called shadow-IT phenomenon poses tremendous risks to your organization.

When rogue employees bring unapproved applications and devices into your environment —often unwittingly and for seemingly practical reasons — they can expose sensitive data and violate compliance regulations.

In addition, they open you up to potential cyberattacks.

Shadow IT Goes Beyond Devices

Shadow IT includes not only apps and devices, but any services, technologies, solutions, and infrastructure used and managed without the knowledge, approval, and support of the IT department. Even a project created by DevOps or a user connecting to a third-party service via a corporate cloud app are aspects of shadow IT.

Consider these scenarios:

  • Your marketing group uses Dropbox to share confidential files with an outside creative agency.
  • A software developer downloads and uses APIs without going through the required approvals.
  • An employee brings a personal laptop to work and connects it to a private network.
  • One of your business units signs up for a new cloud-based storage service that's not on the organization's approved list.

Although all these actions support legitimate business needs, they can have serious negative implications.

Why You Should Worry

A recent survey by Forbes Insights and IBM found that 20% of the surveyed organizations experienced a security event due to shadow IT. And with the mainstream adoption of the Internet of Things, the problem will only grow. Gartner forecasts that by 2020, a third of successful attacks against organizations will involve data residing in shadow IT infrastructure.

Not all shadow IT technology is fundamentally risky, but the lack of visibility means you don't know what the risks are—and what you need to do to protect your assets.

Here are some of the many reasons you should worry:

  • You can't patch shadow IT devices and apps, which leaves them vulnerable to exploits and giving threat actors a way into your organization.
  • Consumer-grade technology typically doesn't have the same security posture as enterprise apps and devices, potentially resulting in data leaks.
  • You can't reinforce data use policies for data stored and processed via shadow IT resources, increasing the risk of sensitive data exposure.
  • Without the proper service level agreements with vendors of the shadow IT technology, your organization may violate compliance regulations.

Bring IT Out of the Shadows with Vulnerability Management

Gartner notes that conducting security assessments is an effective way to fight the shadow IT threat. Assessments let you gain better visibility across your environment, the first step in preventing security incidents.

Once you have visibility, you can implement a strong vulnerability management process and improve your overall security posture. Not all shadow IT risks are equal. Vulnerability management helps you prioritize the steps you need to take to shrink the attack surface. There are not enough hours in the day for the IT team to address all weaknesses, and a prioritized assessment enables them to focus on the riskiest issues.

We're Here to Help

Arctic Wolf can help you manage your shadow IT risks as part of a SOC-as-a-service solution. Our security experts conduct continuous vulnerability scanning and proactively monitor your environment for risks 24/7.

Click here to learn more about ways you can better protect your organization.

Previous Article
Can You Gauge Your Organization’s Cyber Risk?
Can You Gauge Your Organization’s Cyber Risk?

Next Article
Enhancing Detection Improves Credit Union Cybersecurity and Compliance
Enhancing Detection Improves Credit Union Cybersecurity and Compliance

Credit unions often lack the IT budgets of larger banks and financial institutions. This makes them a ripe ...


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!