ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Shadow IT: What Is It and Is It Really Risky?

Shadow IT:  What Is It and Is It Really Risky?

Raef Meeuwisse, CISM, CISA, Author, Cyber Simplicity Ltd.
| Posted at 3:04 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (1)

These days, if you want an application for something and you don’t have it already installed, it is pretty easy to get it within minutes from the internet. No company credit card? No problem, you can probably find a free or trial version.

Locked down desktop? No problem, use it as a remote cloud service through your browser, or there might even be something that can bypass the administrative permissions...

Even if you think you have the most secure data loss prevention and device management protocols known to man, it is still easy for any person to just jump out of the network and create confidential information somewhere on the internet and outside that circle of trusted technology.

Ten plus years ago, shadow IT only existed in companies with a combination of massive budgets and lousy technology departments. Times have changed. Now, in the latest predictions from Gartner research, 30 percent of cybersecurity compromises are expected to be due to shadow IT by 2020.

If your organization has more than a handful of employees, it is certain there will be technologies being used for your company information that your security and technology people may have no idea about.

If you think using Dropbox or webmail without company approval is something to monitor, try multiplying that problem out by at least tens of thousands. In addition to the really well known cloud services, there are literally tens of thousands of cloud solutions and millions of applications now out there. Just one click from an employee and that solution can start becoming an unsanctioned part of your organization’s technology landscape. 

Is It Really Risky?
Yes. Imagine that some super sensitive document, such as a pre stock-market financial results presentation is accidentally placed in a public or insecure internet platform. That kind of incident could be brand damaging and even lead to prosecutions and substantial regulatory fines.

During any shadow IT clean up, it is quite typical to discover that highly sensitive information has inadvertently been placed in public or low security solutions. Far better that your own organization makes that discovery and fixes the problem than somebody else!

All organizations have information of value. Whenever a valuable information asset is placed into a technology that has not been vetted or approved, there is a Russian roulette style risk. It might prove harmless but it could just cause some major damage.

What Can Be Done?
Just like the nature and nurture argument, there are proactive and reactive techniques that can be used to help control and mitigate the risks from shadow IT.

On the proactive side, education and awareness for all employees goes a long way. Also, if you have fast, easy, clear and fair processes for rapidly assessing and providing required technologies for staff, the extent of your shadow IT issues are bound to be lower. During my own recent experience in two different organizations, shadow IT continues to be more widespread where the technology departments are not addressing the needs of their communities.

If you know that your organization is slow and unresponsive to changes in technology, the likelihood is that you have a larger shadow IT footprint than average.

Fortunately, there are also some great tools that can help uncover, discover and monitor what information and services your organization is actually using.

Editor’s note:  If you want to know more about employee-led cloud adoption and other shadow IT issues and solutions, make plans to attend the free webinar, Securing “Shadow IT” and Sensitive Company Data in the Cloud, at 11 a.m. (CDT), Thursday, 15 September. The webinar will be moderated by ISACA Director of Thought Leadership and Research Ed Moyle, and include panelists Raef Meeuwisse, CISM, CISA, Director, Cyber Simplicity Ltd.; Martin Johnson, Sr. Director of Cloud Product Marketing, Blue Coat Systems, Inc.; and, Mari Heiser, Senior Technical Staff Member, IBM Cloud Division. For more information or to register for the webinar click below. Meeuwisse is the author of Cybersecurity for Beginners and other titles.

Register Now




 unresponsive to change

Great point about being unresponsive to change. There is an  organization that has an issue where they have end users, with valid use cases, clamoring to us Windows 10 tablets. Unfortunately, their centralized security management systems are not ready for prime time when it comes to supporting Win10. These end users can go their own way, buy these tablets, utilize them as they desire and then move documents they create on those tablets to and from cloud services. I guess they can just hope these users practice proper security hygiene. A terrible problem for sure.
Matthew684 at 10/7/2016 3:17 PM
You must be logged in and a member to post a comment to this blog.