The Shady Truth about Shadow IT

Shadow IT has CIOs caught between a rock and a hard place, pushed to deliver the required infrastructure for the business to function whilst remaining nimble and innovative to stay ahead of competitors.

The truth about Shadow IT

Shadow IT may sound a tad Hollywood but regardless of the size of your company, you will likely fall victim to it at some point. Maybe you already have, or are, right now. Shadow IT systems are introduced into the company via the back door and are unauthorized and sometimes even unknown by central IT (Facebook probably being the most famous Shadow system, built on the Harvard network), so how would you know? 

In every corner of every industry, you’ll find people are using the cloud (this is often called the “consumerization” of IT). It now accounts for around 25% of IT spend. This acceleration is because Shadow IT allows people to get their jobs done more efficiently, faster, and more flexibly than traditional computing solutions. In fact, total SaaS revenue is expected to reach nearly $100 billion in 2016, and Cisco last year reported that IT departments estimate their companies are using an average of 51 cloud services, though, in reality, this is more likely to be around 730. Perhaps more disturbingly, however, was Cisco’s other discovery that most companies now use up to 15 times more cloud services to store critical company data than CIOs were aware of or had authorized.

How Does Shadow IT Happen?

While your business has ownership or responsibility for some cloud apps, your employees are empowered more than ever to deploy their own apps. Marketing departments are one of the worst culprits though are not exclusively to blame. From a departmental point of view, it’s not always a bad thing as it fast tracks project delivery

It’s easy to see how it happens; when staff needs to access or share data quickly, they no longer need to rely on IT to provide the facility. Why would employees on a deadline want to go through the red tape of IT procurement, provisioning, testing, and security, when they can find a solution themselves and be up and running in a matter of seconds?

Benefits of Shadow IT

There are many who consider Shadow IT to be an important source for innovation and indeed, such systems (again, Facebook) may turn out to be prototypes for future IT systems that do gain approval from the business. Empowering departments is great, and few people would be opposed to the idea of encouraging employees to research (and maintain, to an extent) their own specialized software and hardware to help them do their job better. Most of the time, however, Shadow IT systems go behind the back of IT and come with a multitude of risks for your business. One thing is for sure – the days of having total control of your infrastructure are gone and IT has lost the ability to properly protect their assets.

What’s really lurking in the dark…

Despite the fact that most clouds tend to have good security, organizations should not be ignoring the data access risks and threats posed by users and administrators. Anybody with just a credit card and a browser can purchase low-cost subscription licenses and have a new application up and running in practically no time at all. 

Shadow IT systems creators can import corporate data and integrate with other enterprise applications, all without the knowledge of the IT department. This can be achieved via a USB stick, via popular shadow apps such as Google Docs, DropBox, Instant Messaging services like MSN, online VOIP software like Skype, greynet, content apps, utility tools, or via other less straightforward self-developed Access databases, Excel spreadsheets, and macros.

Left unchecked, unsanctioned cloud service purchases hugely increase the risk of sensitive data breaches (whether accidental or malicious) and financial liabilities. “By its very nature, shadow IT exists to circumvent IT governance and security controls by employees believing they’re doing something beneficial for the company,” said Rick Orloff, vice president, and chief security officer at Code42. “The painful truth is that shadow IT is one of the leading causes of insider data threats across any organization.” 

Shadow IT solutions are often not in line with an organization’s requirements for control, documentation, security, reliability, or compliance. It’s just not possible to consistently manage and secure all of the cloud apps across your organization, whether sanctioned or unsanctioned or to enforce data security and compliance controls. 

So what happens when an employee’s personal Dropbox account  – used to store sensitive corporate data – gets hacked? That’s sensitive customer data out there for all to see and use to their own ends. With the GDPR and a tougher regulatory landscape in general, a hack puts you and your senior management team in very, very hot water. Liabilities can be huge due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation, and investment, and cyber insurance, to name a few. 

Lack of testing and change control should also be sending CIOs into a panic. When new Shadow applications or devices are set up within the corporate infrastructure without guidance from corporate IT, the change and release management processes are completely bypassed. This can have a disastrous effect on other aspects of the infrastructure (even during something like a simple system upgrade). 

Technologies that operate without the IT department’s knowledge can also negatively affect the user experience of other employees within the company, by affecting bandwidth and causing situations in which network or software application protocols conflict.

Shining a Light on Shadow IT Systems

And it’s not always easy to fix when something does inevitably go wrong because of a Shadow IT system: at WALLIX, we’ve lost count of the number of times a company’s department has deployed or attempted to deploy their own solution without the consultation or blessing of the IT department and witnessed the amount of friction caused and deadlines missed because of time-consuming and expensive fixes that have to be scheduled. Cloud services purchasing should empower a business with improved flexibility, innovation, and growth of competitive advantage, but not at the expense of security.

Shadow IT is a quick and dirty process that departments use to get things done, and it’s not going to go away, so awareness is key. After all, it’s your bottom line. CIOs everywhere, take note: your peace of mind lies with PAM. 

PAM can be the first step in managing Shadow IT out of a business by making sure that critical systems are locked down. It does not offer the visibility of Shadow systems but what it crucially does do is maintain complete control of your existing system, ensuring that shadow systems cannot infiltrate your infrastructure. WALLIX Bastion lets you control, oversee, monitor, and record every action of every privileged user across your entire network, instantly alerting you to any suspicious or untoward behavior. 

Security vulnerabilities are caused by weaknesses in the control and monitoring of privileged accounts that are made available to administrators, super users, and external service providers, and though we’re sure that most of your employees are upstanding members of the team, you need to make certain you’re fully compliant and know what’s going on within your business’s perimeter. There’s enough to worry about when it comes to doing business in today’s market – at least let WALLIX take care of the nannying part.