Day by day, information technology (IT) hardware, software, and services that are neither assessed nor managed by an organisation's IT department are freely used by employees, teams, and entire departments to do their jobs. This collection of widely used but unreported tools – comprised of applications, systems, computers, and cloud computing services – is referred to as shadow IT.

Some cases of shadow IT usage that may sound familiar to you include amending, storing, and sharing company data via:

● Personal storage drives e.g, USB flash drives, hard disk drives (HDDs), CDs

● Personal email handles

● Undeclared servers

● Unauthorised file sharing services

However, while shadow IT has been a long-simmering and multi-dimensional issue for organisations worldwide, it is still one of the most overlooked cybersecurity hazards to date. Ensure that your own organisation’s cybersecurity posture is straightened out by reading on to understand the perils of shadow IT and the mitigative actions you can take against them.

Why is shadow IT a growing challenge?

The significant rise of shadow IT can be attributed to the ongoing democratisation and consumerisation of technology; the usage of personal devices for work has been normalised, while easily-available apps and software solutions that improve end-user experience have proliferated.

Another key driver behind shadow IT's growing popularity is the deployment of enterprise-class Software as a Service (SaaS) applications — or applications hosted by cloud providers and delivered to end-users over the Internet — which has been observed to boost employee productivity and competitivity. In fact, 80 per cent of employees admit to using SaaS applications without explicit approval from their IT department. Research also shows that only 45 per cent of company apps are being used regularly, while around 56 per cent of all apps used are outside the ownership or management of IT.

The rapid transition to remote working during the COVID-19 pandemic has also catalysed the adoption of shadow IT by businesses. With companies scrambling to re-establish connectivity and preserve work dynamics, SaaS applications were able to satisfy their urgent needs exactly. But the eager adoption of such quick fixes also means that organisations are now more exposed to cyber-attacks than ever, as exemplified by the emergence of Zoom Bombing threats.

The risks of shadow IT

As mentioned before, shadow IT is increasingly adopted by employees because of its perceived instant advantages. For example, employees have greater freedom to adopt SaaS applications, including Microsoft Office 365 and Monday.com, as needed to reduce their workload. To save the time taken to accustom themselves to company apps, new hires prefer to simply work using apps they are already familiar with on their personal devices. However, these surface-level benefits do little to offset the potential high costs of shadow IT, such as:

1. Greater risk of data breaches, leakages, and loss

When employees store or share data using shadow IT, they inadvertently increase their organisation’s vulnerability to data breaches.

Since IT teams have no awareness of or control over the SaaS applications used by employees, they cannot run updates or deploy patches for such third-party software. This leaves sensitive enterprise data at the mercy of insider and outsider threats. Or, if employees use unprotected personal desktop computers, laptops, smartphones, or online accounts for business purposes, this gives threat actors more entry points to infect their organisation’s system with malware or steal data easily. In this case, IT personnel’s reaction to cyber-attacks launched through shadow IT devices is also typically delayed or limited, increasing asset damages.

2. Compliance issues that affect both employees and the business

Since protective measures and risk assessments are generally not executed on shadow IT applications, employees risk fines by failing to meet their organisation’s compliance guidelines. Organisations may also incur financial penalties from legal authorities in the event of a data breach that leaks confidential client data and violates laws such as the General Data Protection Regulation (GDPR) in the European Union (EU), or the Personal Data Protection Act (PDPA) in Singapore. In the worst-case scenario, organisations can encounter investigation or litigation for severe data breaches, which can leave a black mark on their public image.

3. Unnecessarily higher IT costs straining organisational finances

The lack of visibility or control over shadow IT hardware, software, and services usually causes organisations to exceed their IT budget. This happens when staff members purchase or subscribe to tools that serve the same uses as solutions acquired through enterprise arrangements. Hence, resources are wasted on applications of inefficient, duplicated, or redundant functionality. This drain is then worsened by how most IT teams already stretch their budget thin.

4. Disruption of litigation processes

Before the pandemic has caused employees around the world to work remotely, it was a mostly simple and straightforward process to search company-owned databases and email systems for materials to be used in legal counsel. However, with employees of the New Normal resorting to shadow IT solutions to close communication gaps, organisation files are spread out across a widening range of SaaS applications. Ultimately, data retrieval has been complicated and companies’ ability to preserve litigation-related evidence has dropped. This certainly situates them in a disadvantaged position against any legal opponent.

Tips to mitigate the dangers of shadow IT

1. Enhance the visibility of all deployed systems

To develop a comprehensive cybersecurity programme, your IT team needs to be able to identify all deployed systems across your entire organisation. They must devise ways to detect as many shadow IT tools as possible. This involves employing automated asset discovery methods for cloud infrastructures. As for SaaS applications, they will have to carry out regular software surveys as well as budget and finance audits. Utilising automated SaaS management or Software Asset Management (SAM) platforms is also a viable option that saves more time as compared to manual discovery techniques.

Once all running systems have been identified, your IT team can then carry out risk assessments to identify any vulnerabilities that may be exploited by cyber-attackers and devise remedial measures against them. They can also analyse application usage patterns to identify which software is important, to whom, and for what period. This will inform any of your organisation’s decisions to continue or terminate the usage of any applications.

Finally, ensure that you have a regular network monitoring schedule to maintain an accurate record of new shadow IT applications or devices.

2. Provide employees with a list of approved and prohibited SaaS software

SaaS offers too many appealing benefits – from lowered IT costs to scalable usage –to not play an important role in business operations. As SaaS application usage rises within your organisation, you can reduce its security risks by creating two comprehensive catalogues – one for software that the IT department has approved of, and the other for software that is deemed unsafe for employees’ usage. Employees can refer to these lists to make better judgments on the applications they can or cannot download. Your IT department can also then take the necessary steps to block employees from buying, installing, or launching items in the software blacklist.

3. Adopt software-defined governance

Share the best cybersecurity practices and enforce shadow IT policies across the entire organisation. Begin by educating your staff on shadow IT and its dangers, before encouraging them to be open about the external applications or personal devices they use for work. Next, instil into all employees, be it fresh hires or senior department managers, the understanding that they are required by company policy to gain IT approval to use any new software, hardware, or service.

Moreover, your organisation can consider developing software-defined policies around each employee's role, their environment, the teams they belong in, and the purpose of each application. It is also constructive to involve and gain input from individual teams or departments when designing policies that regulate shadow IT. After all, these groups of employees may know more about the nature of and regulations surrounding the technology they use.

Conclusion

In light of the protracted and widespread shift to remote working, there is, unfortunately, no silver bullet to removing the risks of shadow IT completely. Organisations must take it upon themselves to develop an all-encompassing and strategic approach to lower the probability of experiencing cyber-attacks that target the security holes of their shadow IT. And to ease the load of this important and exacting task, organisations can also consider getting the support of a cybersecurity firm.

If you need expert and experienced help in screening your systems and networks for exploitable vulnerabilities, do not hesitate to reach out to us at hello@group8.co. At GROUP8, we provide a wide range of cybersecurity solutions for business growth, such as CREST-certified Singapore pen test services. With our help, you can rest assured that your IT infrastructure is thoroughly assessed and well-defended according to the highest international standards.