Many of you are probably unfamiliar with this term, so let’s start by explaining its meaning. The term “shadow IT” makes the whole thing sound a lot more sinister than reality, but it’s not wholly wrong. Shadow IT is a term that represents the use of unauthorized software or hardware in a business context. It’s only called “shadow IT” because the company and its’ IT workers do not know that such resources are being used. This creates a blind spot in your security, and that is something that should be avoided.
Common Forms Of Shadow IT
In most cases, shadow IT is just a program that is used by an employee for a specific purpose. This might include communication apps like Skype or Zoom, workflow management software like Trello or Asana, public cloud services like Google Drive or iCloud, or any number of other programs. Unauthorized hardware like outdated laptops, private servers, etc. can also represent a form of shadow IT but are less common.
Understanding The Blind Spot
It’s important to understand how shadow IT creates blind spots for your security. There are multiple aspects to this problem. First of all, most shadow IT comes in the form of free and publicly available apps. The big problem is patching or the lack thereof.
As you probably know, all software consists of code that is used to execute the functions of the program. Unfortunately, source code can often have flaws and vulnerabilities. It is very difficult for a software programmer to foresee every possible manipulation of the code, so these flaws are very common. That’s why software and operating systems have to be frequently updated: In most cases, those updates are just patching known vulnerabilities.
Once a particular vulnerability becomes known, criminals will rush to exploit that loophole before it closes. Unfortunately, some software providers are much less diligent than others. You can control your own network, but you can’t control what some other company does with its software. As you might expect, free programs tend to be the less diligent examples. It is important for your cybersecurity team to understand all possible avenues of attack, so shadow IT is kind of like that hidden pass that led to the defeat of the Spartans at Thermopylae. Those blind spots can easily cause disaster.
Shadow IT Is Not Worth The Risk
Some companies don’t worry about shadow IT because it can actually aid productivity. When people have more freedom to use the programs they want, it often allows them to get things done more quickly. When you stick with what you know, you will usually be able to work faster. Also, free programs and apps can save money by providing services that would otherwise add to the budget. However, the risks are greater than the rewards. It is hard to have good security without a few inconveniences, and this is no exception.
Dealing With The Shadow IT Problem
Let’s talk about some things that you can do to reduce the risks associated with shadow IT. First of all, there is no way to completely eliminate the use of shadow IT. To do that, you would have to control the actions of all your employees on a 24/7 basis, which isn’t realistic. Again, most people will tend to stick with what they know best, even if the rules say otherwise.
You can cut out the use of unauthorized devices very easily. Just use a little trick called MAC address exclusion. To do this, get into your router settings and look at the firewall settings. A firewall prevents certain connections, whether incoming or outgoing. You can exclude certain IP addresses from connecting to your network, but you can also exclude certain MAC addresses. These are unique hardware IDs that are found on all internet-capable devices. In any case, set your firewall to refuse any connection that doesn’t come from an approved MAC address. This will create a little more work for your IT team, as all authorized devices must be added to the list, but it’s a great first step.
You should also give your employees a way to recommend particular resources for approval. Some free/common apps are safe and well-maintained, so you might want to allow them. Even if they do create a small vulnerability, at least the risk will be known and can therefore be mitigated. Good employee training is another good thing to consider. People usually utilize shadow IT resources simply because they don’t know a better way to perform the task. In short: If you want people to do things in one particular way, make sure you teach them how it’s done.
You should also consider using some sort of virtualized captive portal to filter connections to your business network. Virtualization creates a safe and insulated environment between your business network and any outside entity that connects. You can’t necessarily control the security of an outside device, but you can force them to connect to the network in one specific way, using an environment that you can control as a “middleman.”
You can also use in-house apps as a way to discourage the use of outside software. For instance, if you get your IT team or provider to create an internal messaging/calling app, it will discourage the use of other communication methods. This method will only work if your in-house app is both effective and easy to use. Make your preferred option the most convenient option.
As companies gain more and more remote workers, there is every indication that this problem will not go away. The risks of shadow IT will always exist and must always be considered when evaluating your security structure. Every connected device or app is a potential avenue of attack, and criminals have always preferred the darkest roads. If you are in need of additional advice or help in dealing with a shadow IT problem, you can call PCH Technologies at (856) 754-7500.