6 ways to reduce Shadow IT security risks

by Joe Stangarone, writer, MRC’s Cup of Joe Blog, July 19, 2016

Summary: A rapidly growing trend, “Shadow IT” is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in favor of third party solutions and services. In this article, we explore the security risks of Shadow IT, and a few ways to reduce these risks.

Like it or not, Shadow IT is probably alive and well in your organization. It exists in most companies, but the majority of CIOs and IT leaders underestimate its reach.

How bad is it? According to one report, the use of Shadow IT is 15-20 times higher than CIOs predict.

Why is this such a problem? If uncontrolled, Shadow IT will open your business up to a number of security risks, such as:

  • Data privacy risks: When employees purchase and use third-party software without IT’s knowledge, they could put sensitive data at risk. How can IT secure the data if they don’t know it exists? How can IT ensure that the employee’s software is secure if they don’t know what it is? They can’t.
  • Compliance risks: For many companies, regulatory compliance is critical. The problem is, Shadow IT can lead directly to compliance violations. Without knowledge of user’s activity, the IT department can’t ensure compliance. For regulated businesses, this can lead to data loss, fines, and significant vulnerabilities.
  • Enterprise security risks: Users have notoriously bad password habits. Chances are, if an attacker gains an employee’s login credentials for one site, they can use the same information to gain access to another. If the employee uses the same password for enterprise application access, they’ve just given an attacker the keys to your business data.

The question is, how can you protect your business from these risks? Today, let’s explore that topic. Here are 6 ways to reduce Shadow IT security risks.

1. Discover where Shadow IT is hiding

The first step to reducing the risks of Shadow IT: Understand the extent of the problem. You can do this a in couple of different ways.

First, survey your employees. Ask them what software and services they use regularly. You’d be surprised how many unauthorized tools you’ll uncover, simply because the employees don’t realize they’re practicing Shadow IT.

Second, track network traffic. As explained below, the use of scanning techniques will help you identify unauthorized software and systems that are using your network.

2. Identify the unmet need

Once you’ve identified unauthorized software and systems, you must punish those who are using them…right?


Let me explain. Shadow IT is not the problem. It’s a symptom of a larger problem: Employees aren’t getting the solutions they need from the business. If you try to eliminate Shadow IT without addressing this problem, you’ll only perpetuate the issue. If you want to reduce Shadow IT security risks, you must address the real problem head on.

“Shadow IT exists when corporate IT is failing in a fundamental way,” says Jonathan Gossels, President, SystemExperts Corporation. “We’ve seen currency traders set up their own development shops because corporate development was perceived to be too slow or bureaucratic. We’ve seen Wall Street traders set up their own wireless access points so they could keep an eye on things when they were at the pub across the street for lunch.

No department or line of business wants to set up its own IT infrastructure and bear that budget burden – they only do so because they feel that they have no choice to be successful in the tasks they are measured and a compensated on.

It is like finding mouse droppings. If you see shadow IT, it is a clear indication that there is an unmet business need. Organizations need to investigate those unmet requirements and provide the appropriate IT services in a timely, secure, and policy compliant manner.”

3. Change the culture

Sadly, in many companies, IT has developed a “culture of no.” End users feel like IT only gets in the way. It seems like IT looks for reasons to deny requests rather than try to find solutions.

This “technology gatekeeper” mentality may have worked when IT was the only option, but that’s not the case anymore. Now, if IT is viewed as a barrier, end users find their own ways to accomplish their goals.

As explained below, changing this culture is a huge step towards controlling Shadow IT.

4. Give the users the tools they need

The best way to reduce security risks: Make Shadow IT completely unnecessary. As explained above, Shadow IT largely occurs because the business users aren’t getting the solutions they need from IT. If you successfully deliver these solutions, you eliminate the driving force behind the problem.

5. Educate the users

In most cases, employees aren’t practicing Shadow IT maliciously. They’re trying to solve a problem. Most don’t realize the security risks of their actions.

The problem is, many companies take a heavy-handed approach to Shadow IT. They create policies and restrictions, without telling the employees why it’s important. They take an “us-vs-them” mentality.

If you truly want to reduce security risks, educate your users. Make sure your employees understand the risks involved, and why unauthorized tools and software must be avoided. Then, show them how to solve their problems securely, using approved tools and methods.

To read the full article click here.