Alex -


6 dangers of shadow IT and how to avoid them

When employees use unapproved devices and software, they create information security vulnerabilities. Here's a look at some of those risks and how IT can prevent them.

Shadow IT is an invitation to hackers everywhere. Using unauthorized devices and software without IT's approval carries a number of dangers that no one should take lightly.

Employees turn to shadow IT when they are dissatisfied with established IT department activities, such as slow response times to problem resolution or refusal to implement a specific application. But loss of control over IT operations can create havoc for CIOs and other senior IT leaders.

Here are six shadow IT dangers and guidelines CIOs and IT leaders can use to avoid or mitigate them.

1. Unauthorized access to data

A key audit control issue is ensuring that only authorized users can access IT systems and resources. Many different access controls and technologies are available to ensure compliance with regulations and standards, and to pass audit scrutiny. However, if unauthorized access into production systems is occurring, the risks of data loss, damage to applications, theft of information, introduction of malware and other threats can occur.

2. Unauthorized changes to data

Someone with unauthorized data access can potentially change critical data -- such as customer data, databases and content used in daily company operations -- with potentially disastrous effects. Changing a single character in a customer health record, for example, could result in a misdiagnosed condition or prescribing the wrong medication.

3. Introduction of malignant code

When shadow IT activities are occurring, almost anything can happen, especially an introduction of malignant code into production systems, whether that is accidental or intentional.

4. Inability to properly perform patching

Patching is a critical activity that ensures all production systems, utilities and other code-based resources are up to date with regard to new and updated features and security provisions. These are especially important for minimizing the likelihood of cyber attacks. External shadow activities that affect patching schedules could create unexpected performance and security issues.

5. Compliance issues

Regulated organizations such as financial institutions and others that are under close government scrutiny, such as healthcare organizations, utility companies, and fossil or nuclear power plants cannot afford to disrupt their compliance with regulations. Shadow IT activities could inadvertently create problems -- such as system failures -- that result in out-of-compliance conditions. In situations where compliance is regularly monitored and reported, shadow IT activities could create noncompliant conditions that, if discovered, could result in fines and even litigation.

6. Cybersecurity risks

Perhaps the most important IT operations issue today is dealing with cybersecurity breaches. Again, as shadow IT activities may involve using unauthorized systems, security gaps such as breaks in firewalls could occur. Internal shadow IT activities could compromise existing security software such as virus detection or security equipment such as intrusion detection systems.

Preventing shadow IT risks

Diligence and awareness are two important management attributes that can help identify potential shadow IT activities. For example, if an increase in complaints about IT support activities occurs, technology teams can carefully review each report and complaint, especially those from employees who generate repeat complaints. When teams can identify any notable IT performance issues, they should fix them as soon as possible. Then they can monitor help desk activities to see if the number of complaints declines.

Clues can point to possible shadow IT activities. These might include issues involving slower response times and application execution times, network throughput delays, missed dates and times for execution of batch jobs, and short-duration system outages for less than 10 minutes. While any of these could simply be normal performance issues, they may also be the result of behind-the-scenes shadow activities.

Additional proactive measure to reduce the likelihood of risks from shadow IT activities include the following:

  • using network sniffing programs that detect IP addresses not in the known list of IP addresses;
  • keeping a current inventory of all IT infrastructure resources up to date;
  • having senior IT leaders identify possible shadow installations;
  • discussing shadow IT activities at staff meetings;
  • keeping firewall rules current -- for both inbound and outbound traffic -- to identify suspicious traffic;
  • ensuring intrusion detection and intrusion prevention system rules are up to date;
  • keeping employees aware of possible unauthorized logins via emails, messages on intranet sites and other alerting systems;
  • encouraging employees to report any suspicious activity to the IT help desk;
  • ensuring that IT teams regularly brief senior management on suspicious IT activity and measures to remediate it;
  • ensuring that managed service firms and cloud service organizations monitor your resources and provide alerts if they detect suspicious activity;
  • engaging shadow IT analysis capabilities of cloud-based and other managed service providers if they are available;
  • establishing policies and protocols for managing shadow IT activities;
  • with HR and legal department assistance, defining penalties for employees who conduct shadow IT activities;
  • updating the existing BYOD (bring your own device) policy to address shadow IT;
  • establishing and maintaining a file of evidence on shadow IT activities for future audits and management review; and
  • considering deploying shadow IT detection tools.

Take shadow IT seriously

Shadow IT activities are a serious threat to IT organizations and need swift handling. As these activities often evolve from dissatisfaction with how an IT department handles customer service, consider elevating help desk and other customer service activities to a higher priority.

Next Steps

Top 3 information security strategy essentials CIOs need

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
Sustainability and ESG