It’s Cybersecurity Awareness Month! October is that special time of year that combines scary spiders with Scattered Spider and serves as an excellent reminder to take time to assess and improve the cybersecurity posture of your organization. LastPass will be providing a series of content to highlight threats and best practices over the course of the month, including webinars and other LastPass Labs blog posts, which starts with the threat posed by shadow IT within your organization.
What is Shadow IT?
Shadow IT is any software, service, device, or hardware used by employees without the knowledge or approval of IT teams. Software-as-a-service (SaaS) solutions are a popular example: staff frustrated with existing collaboration or connectivity tools may seek out free online alternatives that help streamline their workflow. In some cases, they don't consider the impact of outside applications on internal networks or data protection practices and simply forget to inform IT. In other instances, employees purposefully avoid informing IT so they can keep using the application of their choice. According to recent survey data, 57% of small and midsize businesses (SMBs) have discovered shadow IT deployments on their network; 76% of SMBs said these deployments posed "moderate to severe" cybersecurity threats.
Of note, the use of shadow IT is rarely driven by malice. Rather, it is most often associated with employees seeking to work more efficiently, leading them to adopt or leverage technologies not approved by their company’s IT department, and not realizing the risk they are creating for their company.
What Threats Does Shadow IT Pose?
While shadow IT is frequently associated with well-intentioned efforts to improve efficiency, the use of these technologies introduces vulnerabilities across several fronts. Let’s take a look at a few of the most serious threats associated with the use of unapproved IT:
- Lack of Visibility: Perhaps the most obvious issue with shadow IT is that you can’t protect what you don’t know you have within your network. Applications and other shadow IT leveraged by employees create pockets of unprotected infrastructure that IT departments can’t monitor and defend. Further, shadow IT may have unpatched and/or unknown vulnerabilities the employee may not be monitoring for and remediating. This fundamentally creates a potentially disastrous combination of a supply chain/third-party risk and an exposed vulnerability. It’s like having a back door into your network that’s not locked.
- Expanded Attack Surface: Implicit with the lack of visibility in the use of shadow IT is the inherent expansion of an organization’s attack surface. Every application, software, or device introduced into your company’s network presents another way an attacker could steal data or otherwise degrade or disrupt operations. Combine this with the above-mentioned lack of visibility by your IT department and this expanded attack surface can lead to a potential cyber attack your organization can’t see coming.
- Data Loss: Many instances of shadow IT involves the use of personal emails to transfer data or conduct business conversations. Other instances include the use of open-source tools in support of development operations or other more technical functions. Irrespective of its function, shadow IT tools may result in the storage of sensitive company data or customer personal information outside company infrastructure, which presents an increased risk of data theft, data loss, or other unintended exposures.
What Can Be Done?
While shadow IT may offer some tempting benefits, particularly around the increase in efficiencies, the risks inadvertently introduced into your organization’s network can outweigh the benefits. Strong IT policies the prevent the download and use of non-approved technologies are critical, as is network monitoring for the use of shadow IT. This monitoring can be done via logs, endpoint agents, or even the use of password managers that can provide insight into unexpected or unauthorized accounts. An open-door IT culture allows for frank discussions between users and the IT department regarding the potential need for external applications or other tools, which allows for a team-driven approach for technology adoption that allows for the institution of appropriate and necessary security and monitoring measures. Combining the best intentions that often drive shadow IT adoption with the security and monitoring protections your IT and Security departments provide through open discussions and partnership allows you to continue to innovate and improve efficiency while still staying safe!
