Shadow IT

Shadow IT poses significant challenges for organizations and their IT departments. It requires a strategic approach to address the security and compliance risks that come with shadow IT, all while balancing the need to empower employees with the appropriate tools and technologies.

Shadow IT refers to the use of hardware, software, or cloud-based services in an organization without the knowledge or approval of the central IT department. This typically happens when employees use unsanctioned applications, devices, or cloud services to perform their work more efficiently or conveniently without going through the official IT procurement and approval processes.

Shadow IT includes using personal devices, file-sharing tools, messaging apps, productivity software, and other cloud-based services that the organization’s IT team does not manage or support.

The rise of cloud computing and the consumerization of IT have contributed to the proliferation of shadow IT, as employees have easier access to a wide range of self-service technologies to meet their specific needs. While shadow IT can boost employee productivity and innovation, it also introduces significant security and compliance risks for the organization, as unsanctioned technologies may not be subject to the same security measures and controls as approved IT systems.

Shadow IT can manifest in a variety of ways in an organization, as employees seek out unsanctioned technologies to improve their productivity and efficiency. Some common examples of shadow IT include:

Unauthorized Cloud Applications and Services

Employees may use personal accounts for cloud-based productivity, collaboration, or file-sharing tools, such as Slack, Trello, Dropbox, or Google Drive, without the knowledge or approval of the IT department. That means sensitive corporate data may be stored and shared outside the organization’s secure environment.

Bring-Your-Own-Device (BYOD) Practices

Employees may use their personal laptops, tablets, smartphones, or other devices to access corporate resources and perform work-related tasks, bypassing the organization’s device management and security policies. This can introduce vulnerabilities and make it more difficult for the IT team to maintain control over the technology landscape.

Unauthorized Software Installations

Workers may install unapproved software, such as messaging apps (e.g., WhatsApp, Skype), generative AI tools, or other productivity applications, on their corporate-issued or personal devices to streamline their workflows. These unsanctioned applications may not be subject to the same security controls and patch management processes as the organization’s approved software.

Rogue IT Projects

In some cases, employees or even entire departments may initiate their own IT projects or acquire new technologies without the knowledge or approval of the IT team. This can lead to deploying systems or applications that are not integrated with the organization’s existing infrastructure, creating operational inefficiencies and security risks.

Unauthorized Data Storage and Sharing

Employees may use personal email accounts, USB drives, or other unsanctioned file-sharing methods to store and transmit corporate data, bypassing the organization’s data governance and security policies. This can result in losing control over sensitive information and increase the risk of data breaches or compliance violations.

Shadow IT can emerge within an organization in diverse ways, often driven by employees’ desire to improve their productivity and efficiency. However, using these unsanctioned technologies can expose the organization to significant security, compliance, and operational risks that must be addressed through a comprehensive shadow IT management strategy.

Several common types of shadow IT can emerge in organizations:

• SaaS applications: The implementation of cloud-based software-as-a-service (SaaS) applications, such as productivity tools, collaboration platforms, or file-sharing services, without the knowledge or approval of the IT team. These unsanctioned SaaS apps may lack proper access controls, security measures, and data governance policies.
• Personal devices and email accounts: Using personal laptops, tablets, smartphones, or email accounts to access, store, or share corporate data, which bypasses the organization’s security policies and controls. This can lead to data leaks and compliance issues.
• Virtual machines: Employees create and use virtual machines on their desktops, servers, or in the cloud without the IT department’s knowledge or oversight. This can lead to vulnerabilities, default accounts, and poor configuration hygiene.
• Shadow IoT devices: This includes smart, connected devices like fitness trackers, cameras, printers, and even some medical devices that employees bring into the workplace without the knowledge or approval of the IT department. These devices can introduce vulnerabilities and provide potential pathways for threat actors to access the corporate network.
• Rogue network subnets: The addition of new network subnets, often due to office expansions or company acquisitions, that are not properly managed or integrated into the organization’s overall network infrastructure. These “shadow” subnets can create blind spots and security risks.
• Unauthorized network hardware: Employees connect devices like consumer-grade Wi-Fi access points, printers, cameras, or other hardware to the corporate network without the IT team’s knowledge or approval. These unmanaged devices can expose the organization to potential vulnerabilities and security breaches.

By understanding the various types of shadow IT, organizations can develop more targeted strategies to identify, manage, and mitigate the associated risks.

Now, let’s consider best practices to effectively manage shadow IT and mitigate its risks.

Gain Visibility

The first step is to gain visibility into the organization’s shadow IT landscape. Specialized tools can continuously monitor the network and cloud environments to identify unsanctioned applications, devices, and services. By having a comprehensive inventory of shadow IT assets, organizations can better understand the scope of the problem and prioritize their mitigation efforts.

Establish Clear Policies and Guidelines

Organizations should develop and communicate clear policies and guidelines around the use of technology in the workplace. These policies should outline the approved software, hardware, and cloud services that employees can use, as well as the process for requesting and obtaining approval for new technologies.

Empower Employees with Approved Tools

To reduce the need for employees to turn to shadow IT, organizations should ensure that they have access to a comprehensive suite of approved and supported tools that meet their productivity and collaboration needs. By proactively providing employees with the right tools and resources, organizations can minimize the incentive for them to seek out unsanctioned alternatives.

Implement Security Controls

Organizations should implement robust security controls, such as multi-factor authentication, encryption, and access management, to secure both sanctioned and unsanctioned technologies. Additionally, they should ensure that all devices and applications are properly patched and updated to mitigate known vulnerabilities.

Educate and Train Employees

Ongoing employee education and security awareness training are crucial for managing shadow IT. Employees should be made aware of the potential risks associated with shadow IT, as well as the approved processes for requesting and using new technologies. Regular security awareness training can also help employees recognize and avoid potential threats, such as phishing attacks or data breaches.

Collaborate with Employees

Rather than taking a heavy-handed approach, organizations should work collaboratively with employees to understand their technology needs and find approved solutions that meet their requirements. A collaborative approach can help foster a culture of trust and transparency, where employees feel empowered to work with the IT department to address their technology needs.

By implementing these best practices, organizations can gain more control over shadow IT activity, mitigate the associated risks, and empower their employees to work more efficiently and securely.

The proliferation of shadow IT in organizations can introduce a range of significant risks and issues that should be addressed.

Security Risks

Using unsanctioned applications and devices outside the control of the IT department can create significant security vulnerabilities. These unauthorized technologies may not have the same security controls, encryption, or access management protocols as approved corporate systems, exposing the organization to potential data breaches, malware infections, and other cyber threats. Without visibility into the shadow IT landscape, the organization’s attack surface expands, making detecting and responding to security incidents more difficult.

Compliance Violations

Many industries are subject to strict regulatory requirements for handling and storing sensitive data. When employees use unapproved applications and cloud services to store or share corporate data, the organization may be at risk of non-compliance with relevant laws and regulations, such as HIPAA, GDPR, or PCI-DSS. The use of shadow IT can lead to costly fines, legal penalties, and reputational damage if the organization violates these compliance standards.

Data Governance

Shadow IT can result in losing control over corporate data, as employees may store sensitive information on personal devices or in unsanctioned cloud storage solutions. This makes it challenging for the organization to maintain proper data governance, backup, and disaster recovery procedures, potentially leading to data loss or leakage. Additionally, the use of multiple, uncoordinated applications can create “data silos,” making it difficult to obtain a comprehensive view of the organization’s information assets.

Control Issues

Many workers deploy cloud apps in the corporate environment with the best of intentions. They’ve discovered an app that works great, and they use it and share it with colleagues. But IT hasn’t approved it because they don’t know about it.

The IT team might think they have 20 or 30 shadow apps on their network, which might be manageable. But when they run a Shadow IT discovery check, they’re shocked to find 1,300 such applications they had no idea were there. The more unknown apps on the network, the greater the risk from shadow IT. And you can’t secure what you don’t know about.

Operational Inefficiencies

The proliferation of shadow IT can lead to “app sprawl,” where different departments or individuals unknowingly acquire duplicate or overlapping software solutions. The result is wasted time, money, and resources as the organization struggles to manage and maintain these disparate systems. Additionally, the lack of integration between shadow IT applications and approved corporate systems can hinder collaboration and productivity.

Talent Management Challenges

When employees use unsanctioned technologies, it can create difficulties in managing and supporting the organization’s technology landscape. IT teams may struggle to provide adequate support and training for these unauthorized applications. Losing an employee responsible for a shadow IT solution can leave the organization with a knowledge gap and operational disruptions.

While shadow IT poses significant risks to organizations, there are also potential benefits that should be considered:

• Increased employee productivity and efficiency by allowing the use of preferred tools and applications.
• Reduced IT costs by leveraging free or low-cost cloud-based services without central IT involvement.
• Empowerment of employees to innovate and find creative solutions to their work challenges.
• Optimization of limited IT resources by allowing employees to self-provision basic services.
• Improved communication and collaboration through the use of cloud-based tools.

While these benefits can be compelling, organizations must carefully weigh them against the significant security, compliance, and operational risks associated with shadow IT. A comprehensive shadow IT management strategy is necessary to strike the right balance between empowering employees and maintaining control over the technology landscape.

In today’s cloud-first world, governing your users’ access to both IT-authorized and unauthorized apps (Shadow IT) has never been more important. The average enterprise has an estimated 1,000 cloud apps in use. And some of these have serious security gaps that can potentially put organizations at risk and violate compliance regulations and mandates. The widespread use of shadow IT poses many cybersecurity threats:

• Expanded attack surface and reduced visibility into the organization’s IT environment, making it easier for cybercriminals to exploit vulnerabilities and gain unauthorized access.
• Data breaches and leaks of sensitive corporate data, such as personally identifiable information (PII), financial records, or intellectual property, due to the use of unsecured cloud-based applications and file-sharing tools.
• Malware infections and the potential spread of cyber threats throughout the organization’s network, as unsanctioned devices and applications may not be subject to the same security protocols and antivirus protections as approved IT systems.
• Credential theft and unauthorized access to corporate systems and resources due to employees storing login credentials for shadow IT applications in unsecured locations.
• Insider threats and the potential for data exfiltration, as disgruntled or careless employees may use shadow IT to bypass security controls and steal sensitive information.
• Operational disruptions and loss of productivity due to the use of unsupported technologies, as the IT department may struggle to provide adequate support and maintenance for these unauthorized applications.

A common shadow IT is when a user grants broad OAuth permissions to third-party apps. This inadvertently violates data residency regulations, such as GDPR. In addition, attackers often use third-party add-ons and social engineering to trick people into granting broad access to your approved SaaS apps—such as Office 365, G Suite, and Box—that typically contain sensitive data.

Several key trends and statistics indicate that shadow IT is rising within organizations. Below are some of the most compelling reasons why shadow IT is increasing.

• Shift to remote and hybrid work: The global shift to remote and hybrid work models during the COVID-19 pandemic has been a major driver of the increase in shadow IT. As employees work from home, they have sought out new cloud-based tools and applications to maintain productivity and collaboration, often without the knowledge or approval of the IT department.
• 65% of experienced remote workers use shadow IT: Data shows that 65% of employees already working remotely before the pandemic are currently using some form of shadow IT, compared to only 31% working remotely after the pandemic. This suggests that the more comfortable employees become with remote work, the more likely they are to adopt unsanctioned technologies.
• Accelerated digital transformation: The need for rapid digital transformation to support remote work and online business operations has led many organizations to quickly adopt new cloud-based tools and services. However, this has often outpaced the ability of IT teams to properly vet and approve these technologies, resulting in the proliferation of shadow IT.
• 97% of cloud apps used in the average enterprise are shadow IT: Research by Netskope found a staggering 97% of cloud applications used within the average enterprise are considered shadow IT—not approved by the central IT department. This highlights the scale of the shadow IT challenge facing many organizations.
• Desire for productivity and efficiency: Employees often turn to shadow IT solutions because they perceive them as more user-friendly, efficient, or better suited to their specific needs than the approved corporate tools.
• 60% of office workers use shadow IT because it’s easier than dealing with IT: Statistics show that around 60% of office workers use shadow IT because they find it easier than working with their company’s IT team. This suggests that the perceived friction or bureaucracy associated with the IT department can be a significant factor in the rise of shadow IT.

These findings underscore a mounting need for organizations to better address the underlying drivers of shadow IT and develop more effective strategies to manage and mitigate the associated risks.

From data breaches and malware infections to compliance violations and operational disruptions, the prevalence of unsanctioned applications and devices can leave corporate assets vulnerable to a wide range of cyber threats. To effectively mitigate these shadow IT risks, organizations should consider implementing comprehensive solutions like those offered by Proofpoint.

Proofpoint’s Shadow solution transforms endpoints into a “web of deceptions,” making it difficult for attackers to move laterally within the network and gain access to critical assets. By using over 75 active deception techniques, Shadow can imitate credentials, connections, data, and other artifacts that appear valuable to threat actors, allowing security teams to detect and track their activities. Additionally, Proofpoint’s Identity Threat Defense Platform provides end-to-end protection against identity-based threats, helping organizations discover and remediate vulnerable identities, as well as detect and respond to active threats.

Proofpoint’s CASB solution can further help govern the use of shadow IT cloud apps and services by offering a centralized view of your cloud environment. It provides insights into who is accessing what apps and data in the cloud from where and from which device. CASBs catalog cloud services (including third-party OAuth apps), rate the risk level and overall trustworthiness of cloud services, and assign them a score. CASBs even provide automated access controls to and from cloud services based on cloud service risk scores and other parameters, such as app category and data permissions.

By leveraging these advanced security solutions, organizations can gain visibility into their shadow IT landscape, deploy deceptive techniques to thwart attackers, and enhance their overall security posture. As the threat landscape continues to evolve, it’s crucial for businesses to proactively address the risks posed by shadow IT and protect their valuable data and resources. By partnering with Proofpoint, organizations can stay ahead of the curve and safeguard their operations against the growing menace of shadow IT. To learn more, contact Proofpoint.