In today’s collaborative, mobile world, employees are constantly looking for new and better ways to get their work done.
Whether it’s checking email on personal devices or sharing files via cloud-based apps, they’re bypassing IT-sanctioned technology and adopting their own solutions. Unfortunately, this so-called shadow-IT phenomenon poses tremendous risks to your organization.
When rogue employees bring unapproved applications and devices into your environment —often unwittingly and for seemingly practical reasons — they can expose sensitive data and violate compliance regulations.
In addition, they open you up to potential cyberattacks.
Shadow IT Goes Beyond Devices
Shadow IT includes not only apps and devices, but any services, technologies, solutions, and infrastructure used and managed without the knowledge, approval, and support of the IT department. Even a project created by DevOps or a user connecting to a third-party service via a corporate cloud app are aspects of shadow IT.
Consider these scenarios:
- Your marketing group uses Dropbox to share confidential files with an outside creative agency.
- A software developer downloads and uses APIs without going through the required approvals.
- An employee brings a personal laptop to work and connects it to a private network.
- One of your business units signs up for a new cloud-based storage service that’s not on the organization’s approved list.
Although all these actions support legitimate business needs, they can have serious negative implications.
Why You Should Worry
A recent survey by Forbes Insights and IBM found that 20% of the surveyed organizations experienced a security event due to shadow IT. And with the mainstream adoption of the Internet of Things, the problem will only grow. Gartner forecasts that by 2020, a third of successful attacks against organizations will involve data residing in shadow IT infrastructure.
Not all shadow IT technology is fundamentally risky, but the lack of visibility means you don’t know what the risks are—and what you need to do to protect your assets.
Here are some of the many reasons you should worry:
- You can’t patch shadow IT devices and apps, which leaves them vulnerable to exploits and giving threat actors a way into your organization.
- Consumer-grade technology typically doesn’t have the same security posture as enterprise apps and devices, potentially resulting in data leaks.
- You can’t reinforce data use policies for data stored and processed via shadow IT resources, increasing the risk of sensitive data exposure.
- Without the proper service level agreements with vendors of the shadow IT technology, your organization may violate compliance regulations.
Bring IT Out of the Shadows with Vulnerability Management
Gartner notes that conducting security assessments is an effective way to fight the shadow IT threat. Assessments let you gain better visibility across your environment, the first step in preventing security incidents.
Once you have visibility, you can implement a strong vulnerability management process and improve your overall security posture. Not all shadow IT risks are equal. Vulnerability management helps you prioritize the steps you need to take to shrink the attack surface. There are not enough hours in the day for the IT team to address all weaknesses, and a prioritized assessment enables them to focus on the riskiest issues.
We’re Here to Help
Chi Corporation and Arctic Wolf can help you manage your shadow IT risks as part of a SOC-as-a-service solution. Our security experts conduct continuous vulnerability scanning and proactively monitor your environment for risks 24/7. Contact Chi for more information.
Originally published on the Arctic Wolf Blog, October 17, 2019.