These days, if you want an application for something and you don’t have it already installed, it is pretty easy to get it within minutes from the internet. No company credit card? No problem, you can probably find a free or trial version.
Locked down desktop? No problem, use it as a remote cloud service through your browser, or there might even be something that can bypass the administrative permissions...
Even if you think you have the most secure data loss prevention and device management protocols known to man, it is still easy for any person to just jump out of the network and create confidential information somewhere on the internet and outside that circle of trusted technology.
Ten plus years ago, shadow IT only existed in companies with a combination of massive budgets and lousy technology departments. Times have changed. Now, in the latest predictions from Gartner research, 30 percent of cybersecurity compromises are expected to be due to shadow IT by 2020.
If your organization has more than a handful of employees, it is certain there will be technologies being used for your company information that your security and technology people may have no idea about.
If you think using Dropbox or webmail without company approval is something to monitor, try multiplying that problem out by at least tens of thousands. In addition to the really well known cloud services, there are literally tens of thousands of cloud solutions and millions of applications now out there. Just one click from an employee and that solution can start becoming an unsanctioned part of your organization’s technology landscape.
Is It Really Risky?
Yes. Imagine that some super sensitive document, such as a pre stock-market financial results presentation is accidentally placed in a public or insecure internet platform. That kind of incident could be brand damaging and even lead to prosecutions and substantial regulatory fines.
During any shadow IT clean up, it is quite typical to discover that highly sensitive information has inadvertently been placed in public or low security solutions. Far better that your own organization makes that discovery and fixes the problem than somebody else!
All organizations have information of value. Whenever a valuable information asset is placed into a technology that has not been vetted or approved, there is a Russian roulette style risk. It might prove harmless but it could just cause some major damage.
What Can Be Done?
Just like the nature and nurture argument, there are proactive and reactive techniques that can be used to help control and mitigate the risks from shadow IT.
On the proactive side, education and awareness for all employees goes a long way. Also, if you have fast, easy, clear and fair processes for rapidly assessing and providing required technologies for staff, the extent of your shadow IT issues are bound to be lower. During my own recent experience in two different organizations, shadow IT continues to be more widespread where the technology departments are not addressing the needs of their communities.
If you know that your organization is slow and unresponsive to changes in technology, the likelihood is that you have a larger shadow IT footprint than average.
Fortunately, there are also some great tools that can help uncover, discover and monitor what information and services your organization is actually using.
Editor’s note: If you want to know more about employee-led cloud adoption and other shadow IT issues and solutions, make plans to attend the free webinar, Securing “Shadow IT” and Sensitive Company Data in the Cloud, at 11 a.m. (CDT), Thursday, 15 September. The webinar will be moderated by ISACA Director of Thought Leadership and Research Ed Moyle, and include panelists Raef Meeuwisse, CISM, CISA, Director, Cyber Simplicity Ltd.; Martin Johnson, Sr. Director of Cloud Product Marketing, Blue Coat Systems, Inc.; and, Mari Heiser, Senior Technical Staff Member, IBM Cloud Division. For more information or to register for the webinar click below. Meeuwisse is the author of Cybersecurity for Beginners and other titles.