How to Deal with the Inherent Shadow IT Risk

Shadow IT overview : opportunities and risks

Shadow IT is defined by the use of applications, devices or software without the consent, or even the knowledge, of your corporate IT heads. Most of the time employees use shadow IT in order to be more efficient and bypass the processes linked to the shift to a new platform in a company – which can be a long decision process.  In this era of pandemic, companies are struggling to contain the growing surface of attack constituted by digital transformation and the shift to remote work, which implies new collaborative tools, new ways to communicate between colleagues, partners and customers, and a wider digital footprint which has to be controlled and secured.  More concretely: Have you ever used a personal drive to store or share corporate data? Have you ever requested a corporate file from a colleague on your personal email address or messenger? Better yet: Have you ever set up an un-declared server in order to boost document sharing and gathering on a corporate project ? Bingo. Each is an example of shadow IT.  Shadow IT doesn’t only have drawbacks. It can help enhance the productivity of employees, their flexibility at work, and it can also call out the software and applications that the IT leadership of your organization needs to consider for investment. In a nutshell, some see in shadow IT an opportunity for fast evolution. However, even with the best intentions in the accomplishment of their work, employees do not realize the threats shadow IT poses. Its detractors argue that this practice retains information, creates silos, enhances version and protocol conflicts. But the main problem is the lack of homogeneous security measures with the IT department and the whole organization.  With the wide adoption of cloud and “bring your own device” policies, shadow IT has grown exponentially and this trend is expected to continue. It has now been several months since  part of the planet began remote work. Some researchers estimate we are now at 10 million remote workers, what an opportunity for attackers! At home, you may be less prone to ask permission or even advice from your IT security team to download or use the platforms and apps that are unusual in the office. This is how blind spots in your network are created: new conferencing tools, new file sharing platforms implemented while trying to adapt to new ways of work, without knowing that business sensitive information may now be more vulnerable and outside of your control.  According to a Gartner estimate from 2018, by the end of the year 2020, “one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources, including shadow Internet of Things.” We now understand why. 

Use case of a breach linked to Shadow IT

At CybelAngel, we have seen various examples of shadow IT practices that put highly critical documents at risk. One example that comes to mind is the detection of an open server, misconfigured and exposing hundreds of documents related to an ongoing urban construction project. It appears that the team in charge of the conception and construction works needed a place to share and store the information provided by the multiple suppliers on the project. So they put in place an FTP server without consulting their IT security team. The server was unfortunately misconfigured and left wide open. With all the information publicly available, a malicious actor could have encrypted and stolen the documents competitors could have conducted industrial espionage, and the security of the people and premises could have been affected. 

Shadow IT prevention : CybelAngel is your ally

There are various steps in preventing and detecting shadow IT and guess what? We are here to help! First, start with communication. As a system information leader in your organization, it’s important to understand why your users are using shadow IT software, apps or devices. What are their needs? Then, you have your first clue about which effective solutions you may need to put in place to satisfy corporate users in a secure environment. Second, stay tuned! What are the new trends? New apps? Before trying to find alternative solutions that may not fit the needs of your teams, why not try to gather information about shadow IT software that may be compliant with your security policies. In the end, shadow IT users are trying to solve a problem or fill an internal gap by using these undeclared information systems.  Third, monitoring. Here is where CybelAngel’s expertise comes in. With the constant monitoring of your keywords (e.g.: brands, domains, subsidiaries, project name), we detect misconfigured, unsecured devices that could exposes your corporate documents — yours and your third parties’. We also monitor cloud sources, looking for unsecured drive links where sensitive corporate information could be stored and exposed publicly by negligence. CybelAngel is also able to detect domains that your IT department did not register. (So who did? The marketing team for example. And this is where the attack surface is expanded.)  Facing this growing attack surface, you are not alone. This is a very common issue for companies we work with, in every sector. By detecting and mapping every undeclared device, undeclared domain, shadow application, etc., we help you identify these potential breaches, and guide you through the remediation process.