Shadow IT is one of the biggest challenges facing organizations today. According to Gartner, by 2020, a third of all cybersecurity attacks experienced by enterprises will be from their shadow IT resources.
This shadow IT infrastructure can be created, and added to, by any number of individuals and groups within an organization on all types of devices, from laptops to mobile phones, and is often done unwittingly by those with good intentions in an effort to improve their processes or efficiencies; they often don’t know the potential risks involved. Unfortunately, the rise of shadow IT is often a result of the perception that the IT department is slow, overly restrictive, or unresponsive.
The key to combatting the influx of unauthorized software and cloud services is helping to educate your stakeholders to the true cost of shadow IT. A BSI survey in conjunction with GovNewsDirect found that the threat of data security breaches is exacerbated by the rise of shadow IT that is often used without the authorization of IT managers.
Results of the survey showed that organizational concerns around shadow IT include: data loss (82 percent), security (78 percent), and unauthorized applications (51 percent). To further illustrate the potential cost, another survey, conducted by NetEnrich, showed that 56 percent of respondents estimated that between 20 – 40 percent of their tech funding was spent on shadow IT outside IT’s purview. And, perhaps even more compelling, a study by EMC has estimated that data loss and downtime cost organizations around $1.7 trillion a year.
This illustrates a major concern; it isn’t uncommon for different teams, offices or departments throughout an organization to try to cut out the middleman and buy the software and systems (they think) they need without involving the department that needs to know about it – IT.
While it’s easy to be tempted by the latest and greatest “next best thing” that promises to solve an immediate problem, increase productivity, and maximize efficiency, everyone within the organization needs to think about the ramifications a new untested, non-validated, and unapproved add-on might have to the overall information security. To effectively shine a light on the shadow IT infrastructure, and the harm it can cause, information security professionals must take a multipronged approach to combat the issue.
First, being a true partner and resource to the organization entails designing a system for evaluating new technology needs and solutions. Implementing an information security management system, such as the internationally-recognized standard, ISO 27001, can help guide organizations through developing an evaluation and auditing process. This process should include employees at all levels to help identify potential new software that can be properly vetted, initiated, and distributed within the proper security protocols.
Implementing the appropriate processes and controls will also allow the IT department to look for cybersecurity vulnerabilities beyond the enterprise and examine threats that exist within the supply chain. Understanding the threats outside the organization and within the supply chain is central to improving the overall resilience and information security of any organization.
As an example, the vulnerability that led to the massive breach of one of the nation’s leading retailers a couple of years ago was introduced by an HVAC vendor, illustrating how the relationship between organizations and their supply chain vendors truly matters. Improving information and organizational resilience requires a holistic approach to cybersecurity that considers potential threats, both within and outside of an organization.
Second, IT departments should set up regular security testing and risk assessment processes, and strongly consider SOC 2 (a set of industry standard controls for service providers storing of customer data in the cloud) examinations to understand the strengths and weaknesses of their network. Other considerations include Cloud Access Security Broker (CASB) technology solutions to monitor user activity and extend security controls to cloud applications and provide insight into the extent of cloud shadow IT.
Engaging an outside independent third-party solution provider to perform security testing can help identify areas of weakness, determine what can be done to reinforce the network, and help train the workforce needed to implement new cybersecurity measures.
This will allow the IT department to understand all the different programs running on the network and how other departments impact the overall enterprise. It will also have the added benefit of speeding up the process in which new programs can be introduced to the network, keeping internal stakeholders happy and humming along with the technology and systems needed to be successful.
Third, business stakeholders should undergo regular security awareness training and understand enterprise data governance and data management requirements. This includes understanding the data assets under their control and related industry, contractual, and regulatory requirements. Stakeholders need to understand the penalties for non-compliance with information security and data privacy requirements and regulations.
By creating processes and controls for enterprise IT, combined with regular reviews and testing of the network, the IT department will be able to keep their network out of the shadows, embed proven information security practices and work towards larger organizational goals, while at the same time engaging stakeholders. This will result in greater satisfaction among users and a more secure network environment.