More than 40% of file-sharing traffic is now going through unapproved services, Awake reports. Here’s why you need to be aware of shadow IT within your business
For network administrators, 2020 was a rollercoaster year. Back when the first work-from-home (WFH) orders were issued last spring, there was panic that corporate networks were simply not configured to be used by remote workers safely en masse. Then came the summer and fall. There was a period of respite and faint hope; it seemed that many employees understood the principles of network security and had become familiar with how to work safely at home.
Now, as we are immersed in another year of the pandemic — and another year where many employees will work from home — comes a horrible realization. The reason why there were so few help desk calls in the last few months wasn’t because employees have learned how to use remote work systems. Rather, it is because they’ve learned how to get around them using shadow IT.
Awake reports that the use of unauthorized “remote access tools increased by 75% from January to March” in 2020, and that this surge in shadow IT usage can be attributed to COVID-19-related alterations to work routines. This is likely because employees turn to unauthorized third-party software to do their jobs remotely.
In this article, I’ll argue that instead of representing a crisis, this development is an opportunity for businesses. If we use this year correctly, we can rethink how we approach shadow IT and make enterprise networks more secure than they have ever been.
Let’s hash it out.
Why Shadow IT Is a Concern for Businesses
First, let’s get some definitions out of the way for those readers who may be new to network security and its sometimes obtuse nomenclature. As we explain in our article defining shadow IT:
“When your employees use software or hardware at work that your IT or security team is unaware of – that’s shadow IT. Calling the use of these tools ‘unsanctioned’ might be a bit strong, but either way, employees have neglected to go through the proper channels and notify the right parties.”
Some examples of shadow IT include:
- Cloud storage services such as Google Drive and Dropbox. Employees commonly use these to store corporate data (knowingly or otherwise).
- Commonly used workplace productivity apps. Some examples include programs like Trello, Slack, and Asana.
- Chat and communication apps. This can include apps such as WhatsApp, Zoom, Skype, and any other VoIP software.
- Employees’ own physical devices. This isn’t limited to just flash drives and external drives; it also includes the hard drives within their personal devices.
Let’s also point out, right from the get-go, that shadow IT has become a huge problem for enterprise cybersecurity. The truth of the matter is that most companies are extremely bad at protecting their infrastructure from access by unauthorized programs. Shadow IT remains one of the most persistent security threats faced by enterprise networks — pandemic or not.
The risks associated with shadow IT are wide-ranging but can be broken into four main areas:
- Software Asset Management (SAM). Ideally, administrators will have oversight and control over all of the software used within their organization. Widespread use of shadow IT makes this all but impossible.
- Compliance: Companies can spend many months, and huge amounts of money, reaching compliance with data privacy, security, and management frameworks. A single insecure shadow IT system can undermine this work, and risk fines for non-compliance.
- Testing: Shadow IT systems and devices might be incompatible with existing, approved systems, and can even lead to system failures if used alongside them.
- Configuration management: Creating a configuration management database (CMDB) is a large portion of most system administrators’ jobs. Using shadow IT systems can make cross-platform configuration impossible, which can, in turn, lead to security vulnerabilities.
However, it’s also important to recognize why the use of shadow IT is spiking now and why employees are turning to unauthorized hardware and software.
The truth is that IT operations staff bear a degree of culpability for the current spike in shadow IT usage. Back at the beginning of the pandemic, managers turned to IT staff to provide communications tools for newly remote employees. IT departments responded in the way they know best — expanding the user base of existing tools and systems, opening them up to external users.
Unfortunately, this didn’t always work. In many cases, systems designed for the occasional conference call between executives simply couldn’t deal with the expansion in network traffic and became too slow to be usable. In other situations, it was simply the lack of training (or the lack of time to deliver training) that meant that employees found these systems too complex or cumbersome for their everyday needs.
Understandably, this led them to turn to third-party tools to keep in touch with work colleagues and make their jobs easier in other ways.
But what can businesses do to help mitigate this issue? I’ve outlined a few steps you can take to help decrease reliance on shadow IT tools.
To Avoid Shadow Tools, Emphasize User Experience
Look at the rise in shadow IT this way and it starts to look like a usability problem rather than one that relates strictly to network security. In my view, the reason why shadow IT has been such a prevalent issue has not been well understood by IT staff. Staff techs are accustomed to complex systems and tend to think of the users they manage as being willingly mischievous.
Take, for example, staff who use iMessage to set up a corporate meeting rather than your bespoke internal communication tool. They are probably doing so because iMessage is simply easier to use than the secure alternative, or it offers functionalities that your more secure system doesn’t.
With this in mind, enterprise IT admins may need to change their approach. Instead of trying to limit access to insecure systems, we should instead focus on making secure systems more usable.
This is, in fact, an approach that is well developed in the consumer tech market. Many browsers now warn users about insecure login pages, for instance, rather than shutting off access to them entirely. Another approach to the problem can be seen in the conventional “wisdom” that claims that Macs don’t get viruses. Actually, they do, but Apple designers choose not to tell us about every virus they encounter and defeat – just those security risks that require user actions to remedy. The goal is to not badger users to the brink of insanity through repetitious warnings but rather empower them to interact with these systems in a secure way.
In practice, applying this kind of insight means implementing a number of approaches:
- Focus on usability and function. This should form a principal part of your software acquisition and testing process. Instead of looking to just the technical abilities of a piece of software, end users should be consulted on whether it provides the functionalities they require.
- Expand functionality through existing tools. Network admins should also seek to provide the widest functionality possible through existing tools while ensuring they’re used in a secure way. One way of doing this is to verify that access controls and privileges are properly assessed and implemented and provide an adequate level of functionality for each staff group.
- Emphasize certificate management. Applying a more complex set of access and privilege controls might be difficult in large organizations. This is why, when it comes to managing SSL/TLS certificates and digital certificate keys, administrators should consider using a certificate management tool that gives them greater visibility as to what certificates they have and where.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
The eventual goal of this approach should not be to punish users for looking to third-party tools to complete everyday tasks. Instead, investigations into the usage of shadow IT within your organization should be carried out with the goal of informing purchase decisions. Only by understanding what end users need their systems to do, and what level of access they need in order to achieve this, can shadow IT usage be reduced.
Build an Enlightened Culture
This last observation — that system design and administration should be based on the end users’ needs rather than a system’s security requirements alone — recognizes a truth about shadow IT that has long been known. This is that, and as McAfee puts it, shadow IT is always going to be present in enterprise environments.
This is partly due to what might be termed the “shadow IT lifecycle.” In many organizations, shadow IT usage develops in a well-defined and repetitive cycle. Employees will begin to use a well-known third-party solution such as Dropbox or Evernote. IT departments eventually realize this and seek to limit employee access to these systems. Employees will then respond by moving to more obscure systems that are likely to be even less secure. And the cycle repeats.
Breaking this cycle requires that organizations develop nothing short of a “cybersecurity culture.” Building such a culture, in turn, rests on three principles:
1. Having Open Communication
Above all, IT departments should ensure clear communication channels exist between them and the employees whose tech they oversee. Ultimately, employees should feel like they can contact the IT department directly to discuss issues they are having with existing systems or request that an extra functionality be added to them without fear of censure or ridicule.
The way to achieve this varies by organization. Ideally, every employee would have direct access to IT managers, but in practice, it may be that management-level reporting structures take the place of direct communications.
2. Providing Training
Equally as important as clear communication is ensuring that all staff — end users and IT managers alike — are adequately trained to avoid the risks associated with shadow IT.
For many companies, the order for all employees to work from home came suddenly in response to COVID-19. There was little time to train staff in how to use remote access systems correctly. This now means that staff should be trained on safe remote working practices as soon as possible (if you haven’t already done so). With the pandemic kicking third-party online learning platforms into high gear, companies don’t have to do all the heavy lifting themselves. They can send WFH employees to these sites for a grounding in cybersecurity basics. CISA provides training in this area, and this is a great place to start for most firms.
And it’s not just end users who might require extra training. Many IT administrators have limited experience in managing systems and users who work remotely. They need support, guidance, and access to tools to manage these new challenges.
3. Empowering Your Employees
Let me stress this: The end goal of building an effective security culture in your organization is not to eliminate the use of shadow IT. In fact, and although many administrators are still reluctant to admit it, shadow IT can be of huge benefit to both employees and companies. Third-party tools that provide necessary functionality, often for free, can make companies more agile.
That’s only true, of course, if such tools are used responsibly. The goal of training staff on the dangers of shadow IT is to:
- Empower staff to make their own assessment as to the security of a particular system, and
- Educate them to limit their usage of it accordingly.
Managing this risk and opportunity needs to be done carefully, though. Some types of shadow IT are not acceptable. For example, any shadow digital certificate or PKI key pair is a significant risk to the company. After all, what happens if that person leaves the company and nobody has the private key?
In other words, some systems should be prohibited and others allowed if they are used responsibly. But doing this requires IT staff to get a firm grip of the systems being used in their organization.
The Bottom Line
For some enlightened organizations, the rise of shadow IT during the last year of WFH has helped increase productivity. For companies that already had excellent communications in place between their IT departments and other staff groups, the necessity to find pragmatic solutions to remote working may not have led to significant security vulnerabilities. Other companies — and, perhaps the majority — have seen mass migrations of staff to insecure systems.
The goal for every IT department is to make it as easy as possible to acquire and use IT software and apps securely.
Regardless of anything else said, users often choose the easiest option to achieve their goals. If that means integrating cyber security automation into existing systems, then so be it. Ultimately, however, the current moment represents an opportunity for both types of companies.
For IT teams, the rise in shadow IT over the past year could (and should) lead to a recognition that most employees use shadow IT to improve their own efficiency rather than to get around security restrictions willfully. So, rather than taking an approach that punishes them for doing so, IT departments should try to support their decisions and help them make better informed and more secure choices.