Is Shadow IT Putting Your Network in Danger?
How is it that something so ominous sounding, has already found a way into your network? Shadow IT refers to those resources in use without explicit organizational oversight. They may be leveraged by a small group of employees or deployed by an entire department—but have not yet been approved of, documented, secured, and integrated into existing tech policies. The work done, and data shared, via shadow IT platforms is thus not under the IT department's jurisdiction. While it is understandable that employees gravitate towards familiar, or convenient applications, shadow IT raises considerable risks. Here's why:
For one, shadow IT increases the unofficial flow of data. If the chosen platform fails to secure that content, for example by failing to provide end-to-end encryption, that would create major liabilities in the event of a breach. If the centralized IT team does not know where company data is, and do not have set parameters for exchange and containment, it is also much harder to comply with initiatives such as the Sarbanes-Oxley Act, Gramm Leach Blilely Act, GDPR, HIPAA, etc.
A recent report from IBM estimates that:
- 60% of organizations fail to include shadow IT when assessing their security posture
- 1 in 5 businesses have weathered a cybersecurity incident due to unsanctioned IT resources
Shadow IT resources don't just put companies at risk, they also drain budgetary resources. Gartner found that these platforms are eating up 30-40% of IT spend, though the Everest Group estimates that number is closer to 50%. How is such a discrepancy possible? Apparently, CIOs have consistently underestimated just how prominent shadow IT is in their workplace. Gartner reported that CIOs misjudge shadow IT reach by a factor of 15 - 22x. This brings to light the prediction that by 2020, a third of successful cyberattacks will have originated with shadow IT resources.
Image courtesy of IBM.
Avoiding a Data Disaster
The most direct way of addressing shadow IT is by educating your employees on the danger these platforms pose to your organization, clients, and colleagues. Provide training that articulates the high cost of a data security incident, and ways to avoid them. Also, create a process for onboarding these shadow platforms, if they can be securely integrated into your network. By making your employees part of this process, and allowing them to voice their preferences, they will be more likely to endorse changes you implement, and are less likely to engage in risky cyber behavior.
Here are a few more ways to secure your network:
- Restrict access to unapproved third-party applications
- Create a list of approved platforms and vendors for employee reference
- Implement network monitoring to detect unknown devices and potential threats
- Conduct regular data audits for a thorough sense of content created, shared, and stored
For more information about the security risks of shadow IT, reach out to iCorps for a free consultation.