Build shadow IT policy to reduce security risks

The scope of shadow IT was significant even before the pandemic.

Password management company 1Password, based in Toronto, conducted a shadow IT survey of 2,119 U.S. workers in late 2019 that found 63.5% of respondents had created at least one account without involving IT. The survey also revealed, across the board, each enterprise professional created an average of 1.5 shadow IT accounts.

Similarly, in a report released in January 2020, McAfee found more than 25% of enterprises had sensitive data downloaded from the cloud to a user’s personal device with no corporate controls to adequately monitor or protect it. Cloud downloads of sensitive data also expand enterprise risk due to shadow IT. The report said 91% of cloud services don’t encrypt data at rest, so the data isn’t protected if the cloud provider is breached.

In addition to shadow IT, security risks are rising overall.

The Check Point survey results showed 71% of responding security professionals saw an increase in security threats or attacks since the beginning of the pandemic. The FBI has warned of a rising number of cyber attacks as hackers seek to exploit the situation. The World Health Organization also warned against increased cyber attack activities.

Yet, due to its very nature, shadow IT generally falls outside many — if not all — enterprise policies and defenses meant to safeguard data and protect the IT stack against such attacks. That means the risk of data loss, as well as regulatory and compliance failures, are higher, as is the potential for a successful attack on IT systems.

E.J. Widun

“There is no oversight or visibility over the security controls in shadow IT,” said E.J. Widun, who has learned to guard against it as CTO of Oakland County in Michigan.

Widun believes shadow IT stems from a breach of trust with business users.

“It tends to come in where there’s too much red tape and bureaucracy and a lack of perceived nimbleness,” he said — a scenario that can encourage business users to avoid IT, the security team or both in search of technologies that let them work more effectively and efficiently. “But, when you build the relationships, I believe you can crush shadow IT.”

He’s not alone in that assessment, with experts advising CISOs to strengthen their proactive measures to better address the issue.

More specifically, security leaders said they advise CISOs to rely on the standard PPT — people, process and technology — to tamp down on the security risks from unauthorized devices.