As business users using IT become increasingly used to running apps in their personal lives, the growth of “Shadow IT” has darkened corporate IT departments. Shadow IT is a term that is used to describe unsanctioned IT devices and applications that are managed and used without the knowledge or approval of the organisation’s IT department.
Over the years, Bring Your Own Device (BYOD) was a phenomenon that most IT departments could not stop. Often overlooked, however, is that with BYOD came BYOA or Bring Your Own Applications.
Users’ comfort level with devices and “as a Service” cloud-based applications have led to a spike in the use of unauthorised devices and applications across businesses. Unchecked, Shadow IT provides rich pickings for cybercriminals who can target valuable company data in systems that are not under the purview of a company’s cybersecurity personnel.
Put Simply, Shadow IT is a Data Privacy Nightmare and Major Target for Cyber Attackers.
A report by Everest Group suggested that 79% of IT professionals identified Shadow IT as their biggest risk to the security of data and information. This should not be a surprise as nobody can protect what they don’t know to exist. Business users that subscribe to unauthorised SaaS-based applications are already going outside of corporate guidelines, and it is highly unlikely they will pay any attention to securing these applications. Hackers know this, which is why targeting data in Shadow IT applications comes under the heading of “picking the low hanging fruit”.
Where users are subscribing to unknown cloud-based apps, it is often the case that they will also install a corresponding application to their laptop to access the app, think Dropbox where many users install the Dropbox executable on their laptops. Now think security 101. Unpatched, out of date applications on laptops remain one of the biggest areas of a successful cyber breach. Shadow IT leads to a host of applications on people’s laptops with no IT team governance on updates and patching – A recipe for disaster indeed.
Being an easy target is one thing, but the size of the prize is another, and that’s where Shadow IT is like the proverbial crown jewels for the cyber attacker. Business users often jump into using unauthorised applications because their IT department isn’t moving fast enough and they want to take advantage of the latest and greatest apps for team collaboration, customer engagement, sales analysis and the like. Can you see the red flag waving? Shadow IT applications often involve the use of highly confidential and valuable company data. A breach could not only lead to the theft of valuable company assets, but it could also see your company liable for penalties of PDPA-type legislation.
The equation is simple, Easy Victim + High-Value Data = Prime Attack Target
The solution to this problem starts with implementing data privacy and governance guidelines and rules. Staff need to be educated on why data privacy matters and how they, as individuals, are part of the data privacy chain.
Another critical component to the solution is to ensure that data stays in the places and applications where it belongs and can be effectively secured. For this, you will need tools that can not only automate the process of data privacy protection, but also report and monitor data activity, protection and compliance. IBM Guardium is an example of a tool that can provide all of the above capabilities to give you the much-needed control over all your structured and unstructured data traffic.
Attempting to secure data privacy in the face of cloud-based Shadow IT also requires automated intelligence at scale. Essentially, controlling Shadow IT requires a tool like IBM’s QRadar that can identify the type of applications being used, by whom, in what cloud and by what purpose. This has to be automated and by gaining visibility into unapproved usage of cloud applications into your own organisation, can you have the teeth to enforce your data privacy compliance rules.
Most companies that don’t employ tools like IBM Guardium and QRadar have no handle on how pervasive Shadow IT is in their organisation and no policies to guide users on how to avoid the pitfalls. Unfortunately, simply blocking users from accessing all third-party applications or services isn’t a viable solution either. It’s all about having visibility and control over your data to enable your organisation to mitigate the risks while reaping the benefits of using these services, such as cost savings and better efficiency.
In short, your IT and security teams don’t have to be in the dark when it comes to Shadow IT. There are now tools made available from companies like IBM that can help you shine a light on this shade.