The Rise of Shadow IT
Introduction
The rise of digital technology has brought about numerous benefits, including increased efficiency and productivity, greater accessibility, and convenience. However, as organizations have become more reliant on technology, they have also become more vulnerable to cyber threats. In response, businesses have implemented various cybersecurity measures to protect their networks, devices, and data.
In spite of these efforts, shadow IT is growing, spanning from custom built applications in business units, to user-owned hardware, to third party services and SAAS. While shadow IT may seem harmless at first, it can pose a significant risk to an organization's cybersecurity posture.
Today, shadow IT represents about 40% of the company's footprint, a significant and worrying figure when we know that 1/3 of the cyber attacks come from shadow IT.
We will see in this article what are the causes and consequences of shadow IT and how to manage it to limit the risks in your company.
What is Shadow IT ?
Shadow IT refers to the use of information technology (IT) systems or services within an organization that are not approved and monitored by the IT department. This can include the use of unauthorized software, hardware, or cloud services by employees, departments, or teams within the organization.
The term "shadow IT" describes the fact that these systems or services operate outside of the formal control and oversight of the IT and security departments. Consequently, this can lead to a number of challenges and risks for organizations, including data security risks, compliance issues, and inefficiencies in IT operations.
Traditional IT is characterized by centralized control and strict policies and procedures, while shadow IT is characterized by decentralized decision-making and the absence of formal policies and procedures, which carry an associated level of risk.
Causes of Shadow IT
There are several reasons for the increasing presence of shadow IT in organizations.
Business-led IT purchase
Companies can develop quickly, and often, employees and different departments are aware of their own needs in terms of tools to become more efficient or to respond to a problem. As a result, employees may proactively choose a tool and use it without necessarily going through the IT department.
Credit-card pricing model :
Most external service providers offer low-engagement pricing plan or even free plans, allowing employees to test tools for themselves. However, connecting company data (whether internal or through the connection of other SaaS tools) poses significant security risks for the organization.
Lack of visibility :
A lack of visibility is a major cause of security vulnerabilities. Shadow technologies, by definition, are not easily visible to security teams. This lack of visibility is especially problematic because many SaaS platforms do not provide out-of-the box robust security features. Notion, for example, does not allow automated log exports. Additionally, some SaaS software includes security features only in their premium plans, such as Slack.
Lack of awareness:
The lack of security awareness among an organization's teams can be attributed to various factors. IT and security teams are often understaffed and overworked, leaving them with insufficient time to educate everyone on these topics. And on the other hands, business unit have a business to move, and do not prioritize security education.
Risks of Shadow IT
Security risks and threats
Lack of visibility and monitoring on shadow IT can lead to significant risks. And as core business practices are moving to SAAS and external service providers, these risks are growing.It is worth noting that the average cost of a data breach reached a record high in 2022 of approximately $4.35 billion , an amount that can put many businesses at risk.
Compliance issues
One Shadow IT risk is to create compliance risks for organizations, especially those operating in regulated industries. If employees use unauthorized tools and services to store or access sensitive information, the organization may violate data protection regulations and face legal and financial consequences.
Using GDPR as an example, if employees move or create data in a system that is not registered by the company, this can lead to non-compliance.
The entire efforts of compliance teams can therefore be undermined by employees engaging in shadow it behaviours, as explained in this Forbes article.
Integration issues
Companies are increasingly using SaaS software and tools to address employee issues and needs (aka “SAAS sprawl”). Productiv reports that the average company now has around 264 applications to run its business. However, the multiplication of these applications creates difficulties in linking them together, especially between different departments.
As a result, the company ends up with a multitude of data silos and a long tail of not-so-useful systems.
Data loss
Shadow IT can result in the loss of important data or assets. Below are few examples of known data loss that occurred on respected SAAS providers with well-staffed and strong security teams:
Here are several examples to illustrate the issue:
- Hubspot: A Hubspot employee account was hacked, and as each employee account could modify/access customer data access, data was stolen.
- OKTA : A hacker accessed its source code following a breach of its GitHub repositories.
- Mailchimp : Mailchimp suffered a social engineering attack where hackers gained access to data attached to 133 MailChimp accounts.
- Slack: They discovered that a limited number of Slack employee tokens were stolen and used to download private code repositories from GitHub.
- Dropbox: They fell victim to a phishing attack, with 130 Github repositories copied and API credentials stolen.
- ChatGPT : ChatGPT creator OpenAI has confirmed a data breach caused by a bug in an open source library.
Cost implications
Overall, shadow IT can then cause cost implications for an organization by increasing licensing, maintenance, and support costs, introducing security risks, creating inefficiencies, and causing compliance issues.
In fact, it is estimated that the US and UK generate around $34 billion in licence waste each year .
How to manage Shadow IT ?
Develop clear policies and guidelines
To avoid all the shadow it risk, organizations should develop clear policies and guidelines for the use of technology systems, software, and services. These policies should be communicated to all employees and include guidance on the types of tools and services approved for use, how to request approval for new tools. These policies may also provide a framework for possible sanctions in the event of non-compliance with the policy by an employee.
It is important for these policies to be regularly reviewed and updated to reflect changes in technology and industry regulations.
To create your own Shadow IT policy, you can use Security Hub , Trout Software's product that allows you to easily create notebooks and define your shadow it policy for each case.
Additionally, organizations should have a process in place that allows employees to easily request permission to use new tools or services.
Educate employees:
Companies should provide training and education to their employees regarding the risks associated with shadow IT and external services. These will increase employee awareness on the need to follow company policies and procedures. The training should cover cybersecurity best practices, data protection, and how to identify and report potential security threats.
The training should also emphasize where to find the list of approved tools and how to request a new tool from the IT department, and should be included as part of an employee's onboarding process at a company.
Monitor network activity:
To identify instances of shadow services, organizations should monitor network activity. To have a successful audit, it should include a review of network activity logs, file sharing services, and cloud storage platforms to identify any unauthorized access or use. Also, aggregating network traffic and DNS resolution logs by endpoint keeps a list of known external software and its usage over time
Monitor financial activity:
Credit card spend monitoring can be a useful way to discover the use of external software or "shadow IT" within an organization.
By tracking and analyzing credit card statements, companies can identify suspicious spending and take steps to mitigate the risks associated with the use of unapproved software.
How Trout Software can help you monitor your shadow IT ?
Trout Software's Security Hub tool makes it easy to monitor shadow IT in your company, with notebooks covering three paths:
- leverage a company authentication system to list all applications that are leveraging employees identities
- analyze network traffic to identify traffic to known external application and SAAS
- monitor financial transactions to spot payments of SAAS and external applications
When you detect a shadow IT case and want to investigate, Security Hub quickly connects you to the above data source. You can leverage pre-existing connectors to connect to all your services or analyse raw data in any format you wish.
Once all your data is connected, Security Hub facilitates the investigation of this data via a no-code interface. You can normalize and parse your data when needed to quickly get an overview and help you conduct your analysis more efficiently. Afterwards, you can pivot to the data point you want by simply double-clicks and drag-and-drops.
Once the investigation is complete, you can automate your checks via the Security Hub scheduler and move on to the next system. The notebook scheduler allows for fine-tuned planning through numerous parameters: number of repetitions, time, date, between repetitions.
Finally, these notebooks will be indexed, allowing you to search through them and capitalize on previous investigations and the skills of your team.🎣
Conclusion
Currently, 33% of cyber attacks are carried out via shadow IT.
Getting visibility, monitoring signals across a trust-context that span in and out of a company is a difficult challenge. But with the growing adoption of SAAS and ability for many business units to solve their problems with little scripts, shadow IT is here to stay.
To solve for that challenge, companies need to build processes, implement systems and spread common knowledge, one step at a time.
Want to learn more about cybersecurity ?
You can read our other blog posts such as :