Many of us will seek out the WiFi password when going into a building, and the reality for many businesses is that the majority of their employees will have signed into the network with their mobile phones, tablets, and increasingly their smart watches.
A report from Infoblox estimates that over three quarters of all organisations have more than 1,000 business devices - laptops and tablets supplied by the company - connected to the enterprise network on a typical day. These are enough of a challenge in themselves to manage, but it doesn’t tell the full picture about devices in a business. 35% of companies in the US, UK and Germany say that they have over 5,000 non-business devices connecting to the network each day, with almost 40% used to connect to social media, as well as to download apps, games and films.
These unauthorised devices and apps are part of a growing problem for businesses known as shadow IT - also known as stealth IT or rogue IT. It's an issue that has been exacerbated by the rise of cloud services, as it becomes more and more difficult to assess exactly where business data is stored and who controls it.
However, shadow IT is not just about people connecting to the network with personal devices. It also encompasses unofficial data flows, such as the use of USB flash drives, and software that is not supported or authorised by a company’s IT department. This can be as simple as an employee using a file-sharing technology like Dropbox to share documents that the IT department aren’t aware of, or installing an instant messaging tool to make communication easier.
Why is shadow IT a problem?
Aside from the issues around how employees in a company are spending their time, the bigger problem is that non-business devices often aren’t installed with the security functions and standards of devices supplied or managed by an organisation.
Similarly, software and applications that haven’t been authorised by IT may end up unwittingly presenting a security threat.
Even harmless apps on personal devices can carry hidden threats. In 2017, McAfee researchers identified 144 apps on the Google Play store that contained a malware strain called Grabos, which was disguised as seemingly harmless audio players, but had been downloaded up to 17 million times.
Shadow IT is a symptom of a wider problem; that employees are taking matters into their own hands when it comes to hardware or software they need in order to work effectively. Some of the most common shadow apps are instant messaging and file sharing apps such as Skype and Google Docs, which staff are installing and using in order to collaborate across the business.
Although using software like Google Docs may seem harmless on the surface, it opens up the risk of employees accidentally (or deliberately) leaving sensitive documents exposed online - the digital equivalent of leaving a document on the train. When staff leave, the IT department need to know that there are no stray files on non-business sharing systems that may have been forgotten about.
Shadow IT doesn’t always have to be negative, however. Companies with a bring your own device (BYOD) policy are actively encouraging the use of personal technology in the workplace, often because the benefits of increased productivity and cost savings outweigh the risks. There are also ways that IT departments can reduce security risks with BYOD, including educating staff on secure passwords, encouraging installation of the latest updates and security patches on operating systems, and defining which applications can actually run on a corporate network.
One type of shadow IT that may grow to be a particular problem in businesses is IoT devices. Devices like connected kettles, digital assistants, smart TVs and even fitness trackers are growing in popularity, and all need an internet connection, which in a business, ends up being the enterprise network. There are well-reported issues with IoT devices at present, including the Mirai botnet which has grounded some of the world’s biggest technology companies.
For some industries, shadow IT poses challenges around compliance. If data is being transmitted through unofficial channels, it can prove impossible to comply with initiatives like the GDPR, financial standards and data security principles.
Here are some other common implications of shadow IT that businesses may face:
- Inefficiencies and performance bottlenecks. If shadow IT systems are being used as well as or instead of existing systems, it can be difficult to identify more efficient work processes;
- Hidden costs from other workers needing to re-check the validity of data, and setting up systems and software without the necessary experience;
- Inconsistencies in both business logic and approach, with small differences and errors accumulating across versions of applications with no version control or linking between them;
- Risks of data loss or leaks, as data that goes through unauthorised applications or devices may not be subject to proper backup procedures, or authentication for appropriate access;
- Wasted investment in software that may be doing the same job in a business.
Business attitudes to shadow IT
Some businesses are very relaxed about shadow IT. They believe that the benefits brought by increased collaboration and innovation, particularly with the pace of change in technology, outweigh any direct security risks, and instead focus on educating employees to be able to identify threats.
Because of the way it encourages productivity and agility, shadow IT can also be used as a prototype for future workflows, technologies and systems that can then be approved in the future.
However, others see shadow IT as a risk to the way staff work, instead believing that it is better for tools to be implemented across an organisation to avoid information and workflow silos. It is also easier for the IT department to identify and combat threats if they’re aware of what hardware and software is operating on the business’ network.
Managing the risks of shadow IT
It's almost impossible to turn back the clock when it comes to shadow IT, and many staff would resent reverting to a highly locked-down IT environment, especially in a workplace which seeks to encourage collaboration.
Instead, IT professionals must look to manage shadow IT rather than fighting it. This can be done by making a comprehensive list of applications staff are using, and seeing how it varies across departments, which in turn can also be a good way to identify tools that the business can adopt 'officially'.
Endpoint management is one way to keep an eye on all assets and software on a business network. Once these have been identified, the next step is to ensure that these are in line with the company's policies, and to identify potential issues with any vulnerable applications.
Security awareness training can also be a valuable tool in an organisation's security strategy. Making staff aware of the dangers of clicking questionable links to the business network, even from their personal devices, can reduce incidents of carelessness. This is also a good opportunity to reinforce any company policies around personal device and application use, as well as existing software the business may already have access to.