A digital cloud over red symbols representing malware.
Image: AndSus/Adobe Stock

A new publication from the U.K.’s National Cyber Security Centre provides guidance to organizations concerned with shadow IT, which most of the time results from non-malicious intent of employees.

Jump to:

What is shadow IT, and why is it a growing concern?

Shadow IT is the use of technology systems, software, applications and services within an organization without the explicit approval, knowledge or oversight of the IT department or the organization’s official IT policies. This is sometimes called “grey IT.”

Shadow IT has increased over the past years for a number of reasons. For starters, U.K. managed services company Core reports that shadow IT has exploded by 59% due to COVID-19. In addition, the increase in cloud usage has significantly increased shadow IT. According to Cisco, cloud services have become the biggest category of shadow IT as more employees feel comfortable installing and using various cloud applications without reporting it to their IT department.

According to a report from asset intelligence platform Sevco Security, approximately 20% of IT assets are invisible to an organization’s security teams.

The risks associated with shadow IT are mostly the possibility of exfiltration of sensitive corporate data and malware infections that could lead to data theft or cyberespionage. The infection of a shadow IT component might lead to a credentials leak and the compromise of the entire company.

What leads to shadow IT?

As written by NCSC, shadow IT is rarely the result of malicious intent but rather due to “employees struggling to use sanctioned tools or processes to complete a specific task.” Some users also do not realize that the use of devices or personally managed software-as-a-service tools might introduce risks for their organization.

Some of the most common reasons leading to shadow IT are the lack of storage space, the impossibility to share data efficiently with a third party and not having access to necessary services or those that could ease a professional task.

What are different examples of shadow IT?

A part of shadow IT resides in unmanaged devices that are often deployed in corporate environments without approval from the IT department. This might include employees’ personal devices (e.g., digital assistants and IoT devices) or contractors’ virtual machines.

As stated by the NCSC, any device or service that has not been configured by the organization will probably fall short of the required security standards and therefore introduce risks (e.g. introducing malware) of damaging the network.

Unmanaged services from the cloud also compose a part of shadow IT. Those services might be:

  • Video conferencing services without monitoring or messaging applications.
  • External cloud storage facilities used to share files with third parties or to allow working from home using an unauthorized device.
  • Project management or planning services used as alternatives to corporate tools.
  • Source code stored in third-party repositories.

How can you mitigate shadow IT?

NCSC writes that “at all times, you should be actively trying to limit the likelihood that shadow IT can or will be created in the future, not just addressing existing instances.”

As most shadow IT results from non-malicious intent of employees who want to get their work done efficiently, organizations should try to anticipate the staff’s needs to prevent shadow IT.

A process for addressing all employees’ requests regarding the devices, tools and services they need should be deployed, so they will not be encouraged to implement their own solutions. Instead, employees should feel that their employer tries to help them and address their professional needs.

Companies should provide employees with quick access to services that might be outside of regular use in a controlled way.

It is strongly advised to develop a good cybersecurity culture within organizations. Issues related to an organization’s policies or processes that prevent employees from working efficiently should be reported openly.

SEE: TechRepublic Premium’s Shadow IT Policy

Regarding technical mitigations, asset management systems should be used for larger organizations. Those systems will ideally be able to handle key information such as physical details of devices, location details, software version, ownership and connectivity information. Plus, vulnerability management platforms help detect new assets connecting to the corporate environment.

Unified endpoint management tools might be used, if deployed well, to discover devices connecting to the network that are not owned by the organization. The weak point here is that onboarding many different classes of devices can be highly resource-intensive for larger organizations.

Network scanners might be used to discover unknown hosts on the network, but their use should be carefully monitored. Companies should develop a process that details who can access the scanners and how because these tools have privileged access to scan entire networks. If threat actors compromise part of a network, they will want to extend the compromise by finding new hosts.

Cloud access security brokers are important tools that allow companies to discover cloud services used by employees by monitoring network traffic. Those tools are often part of a secure access service edge solution.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays