Joseph Carson, Chief Security Scientist, Delinea, outlines some typical examples of Shadow IT that organizations should watch out for to maintain their own security.
To curb shadow IT effectively, you have to be aware of the environment in which it arises and why employees choose to use unmanaged apps and services. Here are some typical examples of shadow IT that organizations should watch out for.
With the rise in remote and hybrid work, the number of devices, apps and accounts that organizations must monitor has skyrocketed. With a massive increase in so-called shadow IT, comprehensive visibility has often been completely lost.
With staff driven to solve unexpected challenges at short notice, IT departments have also been accumulating technical debt. The consequences are an increased cyberattack surface and significant additional costs.
Despite the seemingly inevitable nature of these trends, they can be reversed and brought under control with the consistent implementation of transparency, automation and integration.
Shadow IT to watch out for
Shadow IT means any unmanaged IT systems used by employees beyond the radar of IT and security teams. These include cloud accounts, messaging apps and hardware such as laptops or smartphones used without the knowledge of those responsible for IT.
To curb shadow IT effectively, you have to be aware of the environment in which it arises and why employees choose to use unmanaged apps and services. Here are some typical examples of shadow IT that organizations should watch out for.
1. Remote and hybrid work
To be fully productive in remote and hybrid work environments, employees need a variety of collaboration tools, typically hosted in the cloud, that are not found in their protected office environments.
With most staff working from home at the start of the pandemic, in some cases completely unprepared, many employees resorted to new and unapproved tools. As a result of these uncontrolled and sometimes insecure services, organizations were exposed to a massively increased attack surface.
Remote workers often have administrative access to local workstations and applications. If a cyberattacker manages to gain access to a device with local administrator rights, they can use this to steal passwords, install malware or exfiltrate data. They may even be able to elevate privileges to gain access to the entire corporate IT environment.
2. Unmanaged Browsers
Most work is now performed using Internet browsers, and many users have two or more of them running on their machines. If these browsers are not managed by organizations, which is often the reality, a large security gap arises.
Browsers often prompt users to store sensitive login credentials, passwords or credit card information, and hackers know how to exploit this vulnerability. They see unmanaged browsers as an ideal opportunity to steal critical information and access enterprise systems and databases or make fraudulent payments.
3. Productivity apps
Third-party productivity apps that enable users to complete tasks effectively and quickly are becoming increasingly popular. Whether downloaded to a device or browser-based, the organization faces new risks if they are downloaded and installed without verification by the IT department.
Users are often unaware that even popular apps often lack the necessary security controls or are not updated as frequently as the company’s security policy requires. Not infrequently, sensitive data is stored in all sorts of repositories, and critical business information is potentially exposed. At the same time, the software may have conflicting security models that don’t align with corporate policies for access control or data usage.
4. Fast production cycles
With the increasing pressure to work quickly and efficiently, developers and DevOps teams are increasingly forced to sacrifice security for speed.
This favors shadow IT. For example, developers quickly set up instances in the cloud and just as quickly take them down again. The problem is that data goes live in the cloud environment without IT or security teams knowing about it.
Policies to help IT take back control
Unless IT can provide all employees with access to the secure tools and seamless workflows they need, there is a risk that they will take matters into their own hands and deploy their own solutions.
If shadow IT is to be contained in the long term, IT and security teams must be able to balance requirements for security and data protection with needs for productivity. This works best with the introduction and consistent enforcement of guidelines and control solutions.
Most importantly, solutions should operate automatically and in the background, not only to ensure security but also to avoid friction losses in work processes.
For an initial ‘clean up’, it is advisable to use a tool that reliably detects all malicious, unsafe and unknown applications and programs in the organization’s network and makes it possible to delete or check them. A tool that identifies any passwords stored in the browsers of all Active Directory users is also mandatory.
In addition, policy-based application control should be deployed, making it possible to automatically check applications that users want to download against lists of trusted applications or the latest threat data on suspicious applications. It should be ensured that each unknown, untrustworthy application is first automatically pushed into a sandbox for further examination before it is used.
Why technical debt also creates Shadow IT
What’s often overlooked in the shadow IT discussion is that it affects not only business users and developers working outside of IT security, but also IT teams. This is especially true when the different teams do not work together in a co-ordinated manner.
This lack of co-ordination often leads to technical debt. This is the extra effort that comes when teams focus on short-term, simpler solutions rather than investing time, effort and capital in a long-term approach.
It is not uncommon for IT departments to make last-minute decisions about solutions, rely on single-purpose tools or purchase multiple, siloed products to quickly resolve problems as they arise and keep the business running.
However, they often save at the wrong end. Technical debt can become a very costly proposition, which is especially critical for companies with tight budgets and limited resources. The short-term, seemingly small expenses often result in high costs for renewal, maintenance, training and upgrades.
In addition, the tools are usually inconsistent and can only be integrated to a limited extent. User-dependent systems also become a problem, since other colleagues or superiors are often unaware of their existence. After the responsible employee leaves, the systems are often forgotten and increase the ‘digital shadow’.
Effectively reducing technical debt requires IT departments to think strategically and make decisions that align with an organization’s long-term focus. It is important to future-proof cybersecurity, moving away from point solutions and instead embracing feature-rich technologies that can grow with the business and add value over time.
Visibility, automation and integration play essential roles in curbing shadow IT and technical debt. Organizations that take a consistent, long-term approach to these challenges will not only minimize their attack surface but also improve user experience and productivity.