What Is Shadow IT and How Can It Threaten Your ISMS?
Shadow IT is something that every organization might have but only a few know about it. The tricky thing about shadow IT is that it helps people do their jobs faster and even better - but at the same time, it puts the company’s data and its information security management system (known as ISMS) at great risk. So what exactly is shadow IT and how do you know if it’s happening right now in your company? Let’s try finding out.
Shadow IT: information technology under the hood
As you can guess from its name, shadow IT is something happening behind the scenes - and something that your IT department is not aware of. Hence, we can define shadow IT as software and/or hardware that your employees use within an enterprise without approval from the IT department.
In other words, the IT department has no idea that employees are using a particular program or hardware. As Gartner puts it, shadow IT means “IT devices, software, and services outside the ownership or control of IT organizations”.
By now, you might be thinking: hey, it doesn’t seem so bad, does it? Well, Cisco would not agree with you. Take cloud computing, for example. The main benefit of cloud computing is considered to be its advanced security. But according to Cisco's estimation, on average, IT managers believe their enterprise has about 51 cloud solutions in use - but in reality, there can be up to 730. And this is quite a warning number, isn’t it?
Now, let’s get more specific and talk about the examples of shadow IT. These would include:
- Software applications: Slack, Skype, Dropbox;
- A personal drive, a personal messenger, a personal email;
- An unauthorized server;
- A personal device such as a laptop or a smartphone.
So why do employees risk the company’s security and take a detour instead of following rules set by an IT department? There are several reasons for that.
Lack of efficiency from approved tools
It often happens that tools approved by an IT department do not seem efficient enough for employees. Hence, they tend to find alternatives that allow them to work faster and better - even if these alternatives count as shadow IT. This creates a bit of controversy that we will discuss later but in short, shadow IT can increase productivity while also decreasing security.
Lack of training for approved tools
Sometimes, when a company fails to provide corresponding employee training, especially when introducing new software or/and hardware, employees may feel too stressed and confused to use the new tool. This is another reason why they might decide to use an alternative tool that would allow them to retain the speed and quality of work without too much stress.
A poorly organized process of approving new tools
One more reason for employees to choose unapproved tools is the process of approving new IT tools. If it’s too slow, complex, or frustrating, employees would prefer to discreetly use unauthorized tools instead of spending their time on the approval process (that may not even end up positively for them).
The biggest risks of shadow IT
As you can see, the main reasons for shadow IT are employees’ productivity and the convenience of using IT tools. Now let’s talk about the possible risks that shadow IT brings to an organization.
The risk of data breaches and data leaks
The first and most important risk that shadow IT poses is cybersecurity. When there is an unauthorized IT tool within an organization, there is a very high chance that this tool may be hacked. As a result, hackers will get access to sensitive information via that tool and we don’t have to remind you about the costs of data breaches that companies face these days. According to the report by IBM and the Ponemon Institute, the average cost of a data breach in 2022 was estimated at US$4.35 million. And yes, a company may face such financial consequences because employees secretly use one messenger instead of another.
Lack of control
Think about the following. The more unauthorized IT tools there are within an organization, the higher the security risks are. However, if an IT department has no idea about all the IT tools in use, it won’t be able to 100% control data processing and storage. In this way, an IT department does not have full control over the company’s security.
As well, by not knowing about the existing shadow IT issue, the company won’t be able to control and treat other issues that are not related to cyber security, like miscommunication (for example, if employees use different messengers for information sharing). Hence, the company’s owner won’t be able to fully control and manage all internal processes within the company and thus won’t be able to prevent the issues or timely react to them.
High IT costs
Another risk that shadow IT brings to companies is the increase in IT costs due to the following reasons:
- It’s always more expensive to implement a tool after some time than from the start;
- If there is a duplicate or insufficient tool that is not in use, it will be draining the company’s resources;
- The allocated budget for the IT department may not allow any additional tools to be used.
Lack of patching and updates
The thing with external software (aka the one not managed by your organization) is that you cannot control its patching and updates as well as its support and maintenance. However, the timely patching of a software application is one of the best ways to secure it against threats and detect possible vulnerabilities at an early stage.
In this way, if your employees use non-approved software, you don’t know whether it has stable version control and whether it’s timely updated. Hence, you cannot know the level of security that it has and you can’t impact it.
Best practices for mitigating and preventing shadow IT risks
Now that we explained the biggest risks that shadow IT brings, the question is how does one prevent it from happening. While you cannot be 100%, there are several best practices for preventing shadow IT risks that can help you save money, avoid cyber risks, and hopefully make your working environment a safer place.
Establish transparent communication with employees
Since shadow IT is spread by employees, they will be your first concern when it comes to mitigating shadow IT risks. First, you need to encourage open communication with employees regarding the IT tools that they use. Persuade them that there will be no punishment for using unauthorized tools and emphasize the importance of knowing about all IT tools in use.
Second, make it clear that the company is open to a discussion about the authorization of proposed tools and the replacement of legacy tools with more efficient ones. However, you need to have a well-organized process for new tools adoption. A complex and confusing process will discourage employees from approaching an IT department for approval.
Adapt cybersecurity practices
We’ve written many articles on the topic of cybersecurity so we won’t go into much detail here. However, we can provide several recommendations. First, you can start by adopting CIS security controls if you don’t know where to start and don’t have even a basic cybersecurity layer. There are three different categories of controls for different types of organizations so every company can implement them in accordance with available resources.
Second, provide your employees with cybersecurity training - it is especially important if your organization plans to undergo ISO 27001 certification in the near future (more on that below). By understanding the importance of cybersecurity and the basic rules to follow, your employees will be able to retain secure work environments and will be more cautious about unknown or non-verified software.
Use analytical tools to monitor IT activity
There can be hundreds of shadow IT tools running in your company and while you can’t just blindly trust that all of them are harmless, it would also take a lot of time and resources to check them all. Hence, you can use specialized analytical tools powered by Artificial Intelligence that monitor your IT data activity and can instantly spot suspicious behavior or risk signals. In this way, you can always timely react to any occurring risks while performing regular security checks at a normal pace and without any stress.
But what about shadow IT benefits?
Strange as it sounds but shadow IT can be quite beneficial to a company. Some shadow IT tools can greatly improve one’s productivity and engagement, thus, bringing benefits to a company. As well, some company owners encourage their employees to be ingenious and creative about their work, and thus, the use of shadow IT tools can be actually seen as a plus in a workplace that promotes agility, innovation, independence, and creativity.
So how do you balance the risks and benefits of shadow IT and make sure it doesn’t bring harm to your company? The best way is to increase visibility and bring shadow IT into the light. In this way, it won’t remain in the shadows for too long but you will at least know what tools your employees use and how they use them.
Let us explain a bit more here. Say, you’ve discovered that your employees use an unauthorized server. Instead of taking it down and deducting a penalty from everyone’s salary, you can instead educate employees on the importance of software security and add this server to a list of tools that are monitored and managed by the IT department. In this way, you will gain control over the server, will ensure data visibility, and will always know what data is processed and managed within this particular server. And that’s where we gradually move towards the process of approving IT tools and the organization of this process.
Shadow IT and ISMS
ISMS stands for Information Security Management System and is a set of policies and security controls to manage cyber risks and threats within an organization. Implementation of ISMS is highly recommended for any company that processes and stores information (especially sensitive data) and it is advised that your ISMS is compliant with ISO 27001 which is an international standard on information security. Also, note that ISO 27001 provides a checklist on ISMS implementation which you might find helpful.
So where does shadow IT fall within the concept of ISMS? To answer this question, let’s look at the main stages of ISMS implementation:
- Define the goals that you wish to achieve with the help of an information security management system;
- Outline resources that you will need for successful ISMS implementation;
- Outline all areas to cover: business units, departments, processes;
- Create risk assessment and/or risk mitigation policies and choose the most suitable way of treating risks, according to ISO 27001;
- Document the defined policies and procedures.
The identification and management of shadow IT belong to the stages of outlining the areas to cover and the creation of risk assessments. So in order to prevent the expansion of shadow IT and create a robust information security management system, some of the things you can do are:
- Create a well-organized approval process for all IT tools that employees use or plan to use;
- Write clear and detailed instructions on using approved IT tools and on treating non-approved tools;
- Define policies for treating non-approved IT tools.
Note that ISO 27001 does not recommend using personal devices (i.e. laptops, mobile phones) for work as users typically install personal software on them (games, mobile banking, etc.) and these applications cannot be updated or controlled by the organization (but by an external vendor instead).
Of course, there are many more policies that you might want to introduce to secure your working environment. Note that the process of ISMS implementation will be different for every company as it depends on the company’s size, available resources, and goals. One thing will remain the same though: an efficient ISMS will significantly decrease the risk of shadow IT occurring and will help mitigate the possible risks that are associated with it.
Even though shadow IT may bring your employees more efficient tools and thus increase their productivity and even motivation, it also brings immense risks to an organization in general. Therefore, company owners should review and, if needed, improve visibility and communication so employees do not hesitate to approach the IT department concerning new IT tools. Otherwise, you may find yourself in a situation where hundreds of non-approved software and hardware tools are running within a company and you have zero idea of how to manage them.
Sergey is an enthusiastic QA Engineer with a serious professional background. He is well versed in all existing testing methodologies and operating platforms. Since 2014, Sergey has been leading the SoftTeco’s QA department.View all articles by this author.