fbpx

Shadow IT! We Shine Light on This Internal Cybersecurity Risk

Reading Time: 5 minutes Shadow IT, or the use of unauthorised technology by employees at work continues to rise. In fact, 35% of employees say they need to work around their company’s cybersecurity policy to get their job done, with 83% of IT professionals reporting that employees have company data stored on unsanctioned cloud servers. How much of a cybersecurity risk does this pose to your small to medium-sized business (SMB) in South Africa, why does shadow IT happen, and what can you do to protect yourself? In this article, we shine light on all this and more. What is Shadow IT? Also known as stealth IT, shadow IT is any technology (such as hardware, software, devices, or processes) used by employees without the knowledge or approval of the company IT department. Usually, these are technologies that employees use in their personal lives, or which fill a perceived gap in the official company tools that IT has provided for them. Shadow IT can pose a serious security risk to an organization as it introduces unsecured and unsupported technology into the network. In addition, it makes it difficult for the IT department to manage and support such technology. While it can have some benefits, such […]
shadow it! we shine light on this internal cybersecurity risk
14 Jul, 2022
Reading Time: 5 minutes

Shadow IT, or the use of unauthorised technology by employees at work continues to rise.

In fact, 35% of employees say they need to work around their company’s cybersecurity policy to get their job done, with 83% of IT professionals reporting that employees have company data stored on unsanctioned cloud servers.

How much of a cybersecurity risk does this pose to your small to medium-sized business (SMB) in South Africa, why does shadow IT happen, and what can you do to protect yourself?

In this article, we shine light on all this and more.

What is Shadow IT?

Also known as stealth IT, shadow IT is any technology (such as hardware, software, devices, or processes) used by employees without the knowledge or approval of the company IT department.

Usually, these are technologies that employees use in their personal lives, or which fill a perceived gap in the official company tools that IT has provided for them.

Shadow IT can pose a serious security risk to an organization as it introduces unsecured and unsupported technology into the network. In addition, it makes it difficult for the IT department to manage and support such technology.

While it can have some benefits, such as increased productivity and faster innovation, the risks typically outweigh the benefits. Thus, organizations should monitor and curb shadow IT.

Real-World Examples of Shadow IT in SMBs: 

File Storage

If employees use consumer file storage services like Google Drive, Mega, and Dropbox in their personal lives, they may turn to these same solutions at work – even if their organization has a different, approved solution in place.

The problem is that data stored on these services is not typically subject to the same security and compliance controls as enterprise solutions like Microsoft OneDrive for Business or Google Workspace.

Communication

Services like WhatsApp, Telegram, and Facebook Messenger are both easy-to-use and increasingly popular in personal communication. While these apps can improve company communication and collaboration, they also create security risks because chats are not moderated and the company simply has no sight or control over the platform.

Personal Email Accounts 📧

Employees might use personal email accounts like Gmail, Yahoo, or Mweb for work-related purposes, such as sending and receiving work documents or communicating with co-workers. Usage is likely to increase during company email outages and remote work.

Virtual Conferencing 📹

When the company has a mandated platform for virtual conferencing, other options like WhatsApp video calls, Zoom, or Skype might be used instead. This is done for a variety of reasons, such as the perception that the company-approved platform is more difficult to use or because the employees are more familiar with the features of the shadow IT solution.

Personal Devices📱 💻

Devices brought into the organisation from outside, like USB sticks, external hard drives, dongles, tablets, and smartphones are particularly concerning. They may introduce malware or be used to carry out company data, like financial records and client lists.

Related:

What if an Employee Uses His Private Cell Phone to Take Unauthorised Photos Inside the Employer’s Factory?

Why Does Shadow IT Pose a Major Cybersecurity Problem?

General Lack of Visibility

Because your IT department often can’t ‘see’ what’s happening on shadow IT, it’s impossible for them to spot risks or proactively act to mitigate them.

Greater Risk of Data Breaches and Data Loss

Because shadow IT is not typically subject to the same security and compliance controls as enterprise solutions, data stored on these solutions is at a greater risk of being breached or leaked. And if personal devices holding company data are lost or stolen, businesses won’t be aware of the breach until there’s a known security incident – or informed by the employee guilty of shadow IT.

Likewise, data stored on shadow IT systems won’t fall under the company back-up solution. Hence, the risk of data loss and major downtime scenarios.

Vulnerabilities from Unpatched Software

When employees use unauthorized solutions, they might not run the updates and patches needed to keep the software secure. As a result, the organization may be more vulnerable to cyberattacks. Whilst with company software, systems are usually monitored and/or updated automatically by patch management protocols of the IT team.

Privacy and Compliance Issues

If an employee uses personal email for work, the organization won’t have visibility into the data stored on the account. This could lead to a breach of confidential data or a violation of regulatory requirements, and might entail legal implications depending on the nature of the data and the business. The same applies with file storage.

Actionable Ways to Protect Your Business from Shadow IT

Conduct Internal Audits

Combatting shadow IT starts with an internal audit of your company ICT environment. Implement manual auditing, surveying, questioning, and inventorying, along with cybersecurity software, like Microsoft Defender for Cloud Apps and Symantec CloudSOC CASB, to detect and monitor shadow IT automatically.

Harden Access Control

Restrict access to corporate networks, Wi-Fi, data, and VPNs to pre-approved devices, software, locations, and users only. Change network passwords at least every three months and monitor network usage for shadow devices and processes.

Related:

4 Reasons Why Your Small Business Needs A Vpn

4 Reasons Why Your Small Business Needs a VPN

Employee Education and Training

Ensure employees are aware of the risks of shadow IT and the importance of only using company-approved solutions. It can also help to provide additional training on company software, so employees are confident using all the IT features available to them. This will make it less likely that they resort to shadow IT in the first place.

Related:

Cybersecurity Securing Your Small Business

Securing Your Small Business Starts with Employee Awareness & Training

Have a Clear and Enforceable ‘Shadow IT Policy’

Publish an HR policy that outlines the acceptable use of shadow IT in your SMB. Be sure to enforce the policy and take consistent and appropriate action if it is violated. If you allow employees to use their own devices for work purposes, include Bring Your Own Device (BYOD) clauses that outline security measures for personal devices.

A Caveat of Shadow IT

It’s important to note that the #1 most used form of shadow IT are productivity tools. There’s every chance that, if used correctly, these tools may be more effective, and possibly safer than the sanctioned tools currently available to employees. (The same applies to all aspects of shadow IT, i.e., communication platforms, file storage, etc.)

In 2020, when so many of us were plunged into remote working owing to lockdown restrictions, employees had no choice but to innovate and find new ways of performing the tasks required of them.

If your employees are getting genuine benefit from a tool, it may well be worth bringing that tool ‘out of the shadows’ and into the organisation’s list of approved ICT – with a thorough security review and under the oversight of the IT department, of course.

Request a Free Shadow IT Risk Assessment for Your Small Business

Be sure to take steps to protect your business from the dangers of shadow IT.

If you’re not sure where to begin, iSite Computers can help. Schedule a free consult with one of our cybersecurity experts today, and we’ll help you better understand the risks of shadow IT, and what your SMB can do about it.

Book your free 30 – 60-minute call, or reach out for more information.

Call Isite Computers

Join Our Newsletter

Related Posts

Best Practices for Data Protection in Law Firms

Best Practices for Data Protection in Law Firms

As a law firm operating in South Africa, you are the custodian of sensitive information. Whether it’s client data, case files, or legal documents, the confidentiality and integrity of this data are paramount.  In an era where cyber threats such as ransomware are...

read more
Ransomware Protection Strategies for Law Firms

Ransomware Protection Strategies for Law Firms

Ransomware poses a growing threat to organisations globally – and the legal sector is far from immune. In fact, the sensitive and valuable nature of the data held by law firms makes them a desirable target. With this rising threat, it's imperative for firms to...

read more

Comments

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *