Shadow IT – a loophole for cybercriminals, a problem for businesses

Data shared by Microsoft indicate that 80% of employees use applications that have not been approved and secured by the IT department. For this reason, shadow IT is becoming a loophole for cybercriminals and a serious problem for businesses at the same time.

Statistics leave no doubt: on a daily basis employees use applications and devices of which their IT department knows nothing. And if it knows nothing, it cannot control and protect them. According to the 2022 SaaS Visibility and Impact Report by Torii, 80% attacks on companies since the beginning of the pandemic have made use of applications remaining outside the scope of responsibility of IT departments.

Shadow IT gives attackers extensive possibilities, since it comprises cloud-based services, including SaaS, PaaS, and IaaS, as well as software and devices, e.g. computers, smartphones, tablets etc. The most popular applications of this kind used in business are Dropbox, WhatsApp, Apple Airdrop and other file sharing tools.

One should bear in mind that employees do not use shadow IT out of spite. Most of the time, they reach for new applications and devices unapproved by security departments in order to do their job better and more effectively, explains Krzysztof Andrian, CEO at Concept Data. Needless to say, this phenomenon has become more widespread due to the pandemic and remote work which meant reduced control and the use of private devices for business tasks.

Growing costs, higher risks of attacks

Though shadow IT is supposed to be helping employees, it can bring serious damage to companies in the longer run. The use of equipment and applications that have no authorization from IT departments generates risks leading to problems with the company’s reputation, compliance with legal regulations and budget.

The loss of control and visibility. The migration of business information to other tools or systems means it is out of control. In consequence, it becomes difficult for the enterprise to ensure compliance with legal regulations and prevent data leakage.

The loss of access to data. Organisations may lose access to data contained in the shadow IT resources, especially when the data owner leaves the company. An example: a personal Dropbox account where the employee stores contracts with customers or project documentation. If such an employee is dismissed, the company may encounter difficulties trying to retrieve critical customer data.

The system’s inefficiency. If an organisation does not know what data are processed and where that actually happens, IT departments are unable to ensure security and adequate efficiency of the architecture.

Costs. When shadow IT becomes a crucial part of a project which grows and evolves, the costs for the organisation increase. It happens to be a frequent issue with respect to SaaS.

Non-compliance with regulations. Organisations which operate under strict legal regulations are exposed to high risks when they use shadow IT. For instance, if medical centres store sensitive data about their patients in the shadow IT solutions, they may face costly lawsuits and fines for non-compliance.

Unknown areas of the attack. The larger the shadow IT is, the more data can be found outside the security lines. And that means a greater threat of cyberattacks. Why? Because in-house penetration tests, intrusion detections systems and SIEM do not cover shadow IT.

Shadow IT under control

Is it possible to keep danger at bay? First and foremost, companies must use technologies that detect shadow IT by locating and identifying all IT resources within an environment, including equipment, software, virtual instances, cloud components and smart devices. Purpose-built technological solutions can monitor unusual activity in the network, unexpected purchases, migrations of data, workloads, and patterns of using IT.

These are Discovery solutions which scan the network and gather the following information:

• Device name and type as well as its network address
• Device configuration: hardware/software/firmware version
• Device state, capacity and performance

When we talk to our customers, we recommend BMC Discovery which provides a full view of the IT infrastructure as well as current information about the environment, dependencies, security and their impact on services. By implementing this solution, companies get the Real-time Visibility Across IT, i.e. uninterrupted insight into the components and operations of the IT infrastructure. Data regarding availability, dependencies, errors, security features and compliance with regulations influence business, bringing multiple benefits to companies, says Krzysztof Andrian.

Capitalising on shadow IT

The habits of employees and all kinds of predictions clearly indicate that the problem of shadow IT is here to stay. That is why companies should tame it rather than fight it. How? Firstly, by controlling the situation with the use of Discovery. Secondly, by having a closer look at the tools used by employees without IT departments knowing about it. This will point the way towards development and extension of the company’s infrastructure. Thirdly, by training employees, informing them about the threats related to shadow IT and explaining how the organisation can help in meeting the teams’ technological requirements without bypassing the standard procedures of approval.

Employees know perfectly well what tools they need for work. By talking to them, managers get to know their expectations and can better adjust the company’s plans for technological development to what the teams actually need. After implementing equipment and applications for which there is high demand within the company, the employer will increase the security of resources and the satisfaction of employees, not to speak of facilitating the work of IT departments, concludes Krzysztof Andrian.

Read more about Discovery solutions:

IT under constant supervision. 5 advantages of BMC Discovery