What Is Shadow IT and How Can Enterprises Manage It?

Enterprise IT teams are kept more than busy enough trying to ramp up cybersecurity for the devices they know are connected to their networks — but what about those devices they don’t know about?
So-called shadow IT — devices, applications and storage systems that emerge from sources outside the sanctioned IT team — has arisen rapidly in response to teams’ needs for workflows capable of keeping up with the break-neck speed of business today. But what’s good for productivity can be a nightmare for cybersecurity, as unapproved endpoints, software programs and applications may not be up to rigorous cybersecurity standards needed to mitigate the high risk of data breaches.
Shadow IT emerged as a solution intended to avoid the “red tape” that slowed centralized IT efforts — but it’s putting companies at risk.
Here’s more on this important subject.
Key Challenges Associated with Shadow IT
If executives and IT leaders were hoping shadow IT would take care of itself, it’s time to get realistic. Research firm Gartner predicted by 2020, one-third of successful cyberattacks on enterprises would originate from shadow IT resources. Although employees don’t mean to open up vulnerabilities when they integrate new technology into the network without IT’s stamp of approval, shadow IT does open up more potential sources ripe for data breach.
IT teams are facing the challenge of even knowing how much shadow IT exists within their org and where — let alone having the time and resources to mitigate this risk after discovering it. For instance, new tools may start out with lax user permissions plus poor quality passwords that change infrequently, which means one well-targeted phishing scheme could grant access to a malicious source. At any given time, there may be hundreds of people with access to an account or tool, but no formal log to allow the business to keep tabs on access.
When IT teams are unaware of what shadow IT is running at any given time, it’s more difficult to identify data breaches and close them — let alone take proactive measures to stop them from happening in the first place.
Many organizations, depending on their industry, could also face compliance issues if certain tech fails to comply with regulations — like a hospital inadvertently violating HIPAA, a fact that comes to light when its shadow IT is breached by a hacker and patient health records are compromised. Not only can data breaches tarnish reputations, but they are also very costly in terms of fiscal penalties, lost productivity and more.
Managing Shadow IT
While there’s no magical, one-size-fits-all solution for effectively managing shadow IT, there are measures enterprises can take.
Some enterprises opt to work with a cloud access security broker (CASB), a third-party service that will assess risk in the cloud, help manage app permissions and provide IT teams with visibility into app and data usage. This approach to cybersecurity goes hand in hand with software-defined networking in a wide area (SD-WAN), architecture that allows enterprises to secure their networks on-premises and remotely.
One major goal should be more closely aligning IT with business needs, since shadow IT often emerges out of a sense that IT can’t move fast enough to keep pace with employees’ productivity needs. This means regular communication, as well as figuring out how to respond to business users’ requests in an agile fashion should be key aspects of your operating strategy.
One expert advises CIOs to launch one or more dedicated DevOps teams to “deliver functionality at speed” and bridge that gap between IT and business. This is how many Silicon Valley startups minimize the need to shadow IT.
At the very least, IT teams and users should touch base at least yearly — but more like quarterly — to keep a list of technology assets up to date. Transparency is the first step. Only once IT teams are aware of the shadow IT in existence can they take steps to integrate and secure it.
Shadow IT usually crops up when well-intentioned employees take tech into their own hands in an attempt to boost efficiency or troubleshoot a problem. But it can be very dangerous when left unchecked. This is why it’s so crucial to take ownership over shadow IT and close that gap.