Americas

  • United States

Asia

Oceania

Mary K. Pratt
Contributing writer

Shadow IT is increasing and so are the associated security risks

Feature
Jun 06, 20238 mins
Business IT AlignmentCloud SecurityData and Information Security

Shadow IT — tech brought into an organization without the security team’s knowledge — continues to be a threat. Managing visibility through increased vigilance and employee education can help mitigate its dangers.

Despite years of modernization initiatives, CISOs are still contending with an old-school problem: shadow IT, technology that operates within an enterprise but is not officially sanctioned — or on the radar of — the IT department. Unvetted software, services, and equipment can be nightmare fuel for a security team, potentially introducing a lurking host of vulnerabilities, entry points for bad actors, and malware.

In fact, it is as big a problem as ever and may even worsen. Consider the figures from research firm Gartner, which found that 41% of employees acquired, modified, or created technology outside of IT’s visibility in 2022 and expects that number to climb to 75% by 2027. Meanwhile, the 2023 shadow IT and project management survey from technology review platform Capterra, found that 57% of small and midsize businesses have had high-impact shadow IT efforts occurring outside the purview of their IT departments.

Experts say that a shift in what comprises shadow IT and who is responsible for it is driving such statistics. In the early days, shadow IT might have been an unsanctioned server that a developer set up for skunk works. Later, it was systems implemented by business unit leaders without IT involvement because they favored a particular vendor or application over the one deployed and maintained by IT.

Although those earlier forms of shadow IT created risk, the main worries in such examples were additional work and costs that the extra systems added to the organization’s technology bill as well as the inevitable absorption of the shadow systems into the official IT department portfolio.

Today, shadow IT is broader and more pervasive, and it’s being brought into the organization by a growing number of employees who are capable of quickly and easily launching tech products and services for their workplace needs without consulting IT or the security team.

Shadow IT today is like “10,000 flowers blooming”

“Shadow IT is back, and it’s back in a big way. But it’s different today. It’s individual employees creating, acquiring, and adapting technology for work. These people have become technologists,” says Chris Mixter, a research vice president with Gartner. “Now shadow IT is like 10,000 flowers blooming. And you can’t stop it. You can’t say to the employees, ‘Stop doing that,’ because you as security don’t even know what they’re doing.”

A mix of tech products and services constitutes shadow IT today. IT can still be comprised of a few unauthorized servers tucked away somewhere, but the ease of operation of modern software means it’s more likely to be made up of more substantial and pervasive technology deployments. Cloud-based and software-as-a-service applications set up by a business unit or even a single employee are common culprits.

“Cloud has made shadow IT easier to exist because in the past when you used to have to procure hardware and know how to get a network connection, there was a barrier to entry. Cloud has lowered that barrier,” says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at professional services firm PwC.

IoT interfaces and undocumented APIs add to the shadow IT danger

Of course, the cloud isn’t the only factor in today’s shadow IT. The ease of deploying internet of things (IoT) components and other endpoint devices also contributes to the problem.

Undocumented, non-tracked third-party application programming interfaces (APIs) are another type of shadow IT that has become common within many organizations. A May 2023 report from tech company Cequence Security found that 68% of the organizations analyzed had exposed shadow APIs.

The ease of accessing cloud resources is certainly a contributing factor to the proliferation of shadow IT today. “You have all these things where all you need [to deploy them] is a credit card — or not, sometimes they’re just free,” says Raffi Jamgotchian, CEO of Triada Networks, an IT and cybersecurity services firm. That ease of access, however, belies the serious risks that shadow IT now presents.

Jamgotchian says workers typically don’t know whether or what security layers the applications they’re buying have or whether anything needs to be added to them to make them secure. Then, to make things worse, they’re often putting sensitive data into these applications to get their work done.

As a result, these workers are creating entry points that hackers can use to access the enterprise IT environment to launch all sorts of attacks. They’re also exposing proprietary data to leaks and possible theft. And they’re possibly violating data security and privacy regulatory requirements in the process.

Shadow IT can increase compliance and regulatory issues

Jamgotchian worked with one company fined by a regulatory agency because the apps being used by workers did not adequately secure and archive data as required by law; in that case, the company’s manager had given workers tacit approval to download and work with apps outside IT’s (and, thus, the security department’s) view, which resulted in the compliance violation.

Furthermore, experts say shadow IT greatly increases the chances that products and services as well as the vendors selling them are excluded from any due diligence review, as IT and security are excluded from the selection process. “This is part of the challenge when people are using these applications without asking if they’re from a trusted vendor,” says Joseph Nwankpa, an associate professor of information systems and analytics at Miami University’s Farmer School of Business.

The resulting cybersecurity risks are significant. Take the findings from a 2022 report by Cequence Security that noted 5 billion of the 16.7 billion malicious requests observed, or 31%, targeted unknown, unmanaged, and unprotected APIs. Capterra’s 2023 study found that 76% of the responding small and medium-sized businesses reported that shadow IT efforts posed moderate to severe cybersecurity threats to the business.

Lack of security review is shadow IT’s biggest problem

And Gartner found that business technologists, those business unit employees who create and bring in new technologies, are 1.8 times more likely than other employees to behave insecurely across all behaviors.

“Cloud has made it very easy for everyone to get the tools they want but the really bad thing is there is no security review, so it’s creating an extraordinary risk to most businesses, and many don’t even know it’s happening,” says Candy Alexander, CISO at NeuEon and president of Information Systems Security Association (ISSA) International.

To minimize the risks of shadow IT, CISOs need to first understand the scope of the situation within their enterprise. “You have to be aware of how much it has spread in your company,” says Pierre-Martin Tardif, a cybersecurity professor at Université de Sherbrooke and a member of the Emerging Trends Working Group with the professional IT governance association ISACA. Technologies such as SaaS management tools, data loss prevention solutions, and scanning capabilities all help identify unsanctioned applications and devices within the enterprise.

Look for spending that points to unauthorized technology use

Jon France, CISO at (ISC)², a nonprofit training and certification organization, says he advises CISOs to also work with their organization’s procurement team and finance department to spot spending that could point to shadow IT. He says scanning worker expense reports is particularly useful in uncovering shadow IT because it helps find reimbursement requests for tech spending that is too small to go through the procurement process.

France and others say CISOs also need to educate workers on security risks posed by shadow IT, but temper expectations on how well that awareness training will help prevent it, Mixter says. He says most workers know the security risks they’re creating but move forward with their plans anyway: Gartner research shows that 69% of employees intentionally bypassed cybersecurity guidance in the last 12 months.

Educate employees about how to onboard new tech

Mixter says workers who deploy shadow IT aren’t malicious in their activities. Rather, they are trying to get their job done more efficiently and looking for tools to help them accomplish that goal. This is why, in addition to awareness training, CISOs should work to empower them by building up their security competence.

“CISOs need to shift to competence building, to ‘Let me help you figure out how to do that safely,’” Mixter says. According to Mixter, that means:

  • Developing guidance targeted at business technologists.
  • Offering options for business technologists to secure their work.
  • Helping business technologists gain relevant security certifications.
  • Integrating cybersecurity solutions into business technologist workflows.
  • Building policies that explicitly cover business technologist activities.

“CISOs have to figure out how much security skill they need, understanding that they can’t make everyone into a security specialist so they must determine what is the minimum competency they need,” Mixter says.

That work pays off, he adds. Gartner has found that those with training targeted to their technology-related activities are more are 2.5 times more likely to avoid introducing additional cyber risk and more than twice as likely to move faster than those business technologists without such training.