The hidden risks of shadow IT

Posted on 13 July 2017

Your employees are signing up for easy-to-deploy cloud services and software without checking with their IT department whether they are safe to use. IT would normally perform the necessary risk assessments and fully understand the impact that using these services may have on your organisation’s security and compliance.

While it is estimated that employees use around 50 different services the actual number is reckoned to be 15 times greater!

This implies a huge number of risks for your organisation, many of which are not apparent. These include:

  • Unencrypted data storage and connections to services
  • Lax password and authentication requirements
  • Inability to meet eDiscovery requirements – vital for GDPR
  • Backup and recovery that doesn’t meet internal standards
  • Legal issues regarding who owns what data when using a cloud service
  • Users unwittingly sharing sensitive data through public links
  • Noncompliance with varying international and industry regulations

A new approach is needed to meet the challenge of shadow IT

Stopping access to these services and software is a bit like trying to hold back the tide, as you can bet that your employees will always find ways around any restrictions you set. Besides which, too rigid control will deter innovation, stifle productivity and can have a negative impact on your organisation’s ability to keep high-calibre talent engaged.

Instead of attempting to block shadow IT, you need to think about how you can provide the flexibility your employees need whilst providing the same protections and security that are in place for on-premises systems.

Traditional security solutions, such as firewalls, intrusion prevention systems and data loss prevention tools, are not designed to give IT comprehensive visibility into, or control over, how employees are using SaaS apps and cloud services.

A 3 point plan to tackle shadow IT

What is needed are tools that are specifically designed to monitor how employees are using cloud applications, help manage risk across the cloud services in use, extend internal security requirements into the cloud and help enforce reasonable and effective SaaS policies.

To achieve this you need a 3 stage plan:

  1. Gain visibility – Understand what applications your employees are using, where they’re logging into them, and whether they’re complying with your organisation’s security regulations. This will enable you to understand what level of risk you’re at and develop strategies – such as blocking the apps that don’t comply with regulations in your industry – to adjust that risk as needed.
  2. Get control of cloud application use and data sharing – develop policies that specifically define what applications are okay to use, and how and what data can be transferred to the cloud. Ensure these policies meet your company’s regulatory requirements.
  3. Protect against threats – define a baseline for cloud application access and usage at your company and then look for patterns and behaviours that detract from the baseline. Decide if these anomalies are threats and develop strategies and tactics to address them.

In our next article on shadow IT we will look at how a Cloud Access Security Broker (CASB) can help you achieve this plan.

In the meantime if you have any questions about shadow IT and Microsoft Cloud App Security, please contact us.

A few people we've already done it for