How “Shadow IT” Puts a Business at Risk: 5 Hazards for GRC Professionals to Watch

Let’s say your sales team spends a lot of time on conference calls. Their assigned enterprise application is clunky, disconnects frequently and the video keeps buffering. Out of frustration, they decide to use another tool they find more stable. The problem: The IT team is out of the loop, does not know of the software’s existence and therefore cannot manage its risks.

Shadow IT, the unauthorized use of software, applications or hardware, is an ongoing IT blind spot for many organizations. Moreover, the proliferation of software-as-a-service applications, the sudden rise of remote work and the ubiquity of smartphones significantly amplify the scale of the problem. In fact, for the second of half of 2021, industry analysts from CybelAngel report a 40 percent rise in shadow IT incidents. The result is an increase in cybersecurity loopholes that can lead to dire consequences for the business.

Left unchecked, shadow IT can lead to:

More Cyber Attacks and Breaches

The use of shadow IT significantly increases the threat surface because it is unregulated and unsanctioned by the business. Applications may have unpatched errors and vulnerabilities that can leave gaping holes in the security posture. Cyber criminals can use these weak spots to carry out surveillance, launch damaging attacks or steal sensitive information. Use of shadow IT by malicious insiders is also a major concern. For example, in the Coca-Cola trade secret theft case, an engineer leveraged Google Drive to facilitate the IP theft.

Absence of Control

It is impossible for IT teams to have visibility or control over company software and data that is outside their purview. This can create a major governance issue for IT teams, especially in an environment where there is an expanding list of rapidly evolving compliance mandates (e.g. GDPR, CCPA, etc.) forcing businesses to maintain tighter security standards.

Non-Compliance

Employees who use shadow IT put their organization at risk of not meeting compliance obligations. This can be particularly concerning in a situation where organizations are subject to stringent compliance laws that govern collection, storage, transmission and use of sensitive data. Organizations can face expensive lawsuits and run the risk of losing brand reputation, customer trust and competitive edge.

Loss of Data and Failure of Recovery

There is always the potential for businesses to lose sensitive data if it is stored in unregulated or unprotected locations. A simple example can be Google Drive or Dropbox, where an employee may choose to store contracts or customer lists or sales presentations. If that worker leaves the organization or terminates their personal cloud storage accounts, this data is lost permanently. Moreover, in the case of a cyber incident, the data is neither accessible nor backed up and may be impossible to recover.

Lack of Accountability

Instances of shadow IT in an organization signify a problem. It could mean that end users are not being given the IT resources they need to do their jobs, so they instead look to alternative tools. It might indicate a general lack of support from leadership or issues with line managers allowing their teams to work around mandated IT guidelines and policies. It could also mean the IT team has not clearly communicated the risks of shadow IT.

How Can Businesses Mitigate Risks of Shadow IT?

Overall, GRC professionals need to recognize the risks and causes then take steps to enact more effective IT controls. While shadow IT is nearly impossible to eliminate, risk and compliance teams can use a “defense-in-depth” approach to mitigate risks. Such an approach consists of three main elements:

• Technical controls: Today’s solution marketplace offers an array of mature products that can detect the presence of unregulated hardware, software, and SaaS applications lurking on the network. While this toolset may not discover every incidence of shadow IT, it can go a long way to reducing the risk.
• Policies and procedures: As there is a major lack of accountability surrounding shadow IT, policies and procedures help establish the right governance framework. GRC professionals should provide end users with an acceptable use policy (AUP) that clearly outlines the list of approved software and hardware along with what the organization will or won’t tolerate. Businesses must also highlight the process of seeking approval and what requesters can expect in terms of turnaround times.
• Security awareness and education: Shadow IT starts with the employee, so it’s critical they understand the risks and impacts of their actions. This can only be achieved through security awareness exercises and regular training programs. The ultimate goal is for employees to realize how they themselves are a central piece in the security puzzle and why established controls need to be honored and respected.

Ultimately, organizations must recognize that, at the core, shadow IT is a cultural problem. For employees to embrace a security culture, leaders and end-users must engage in ongoing two-way dialogues. That is, end-users should communicate needs and expectations from the business in the same way that IT expresses potential risks.

Both groups need to come together to proactively understand what employees need plus identify opportunities for new technologies. If a company is experiencing chronic incidence of shadow IT, that’s a sure sign that certain tools and services may not be keeping up with existing and evolving end-user requirements.