Shadow IT Is ‘Out of Control.’ Here’s How to Manage the Risk
It’s easier than ever for employees to find their own quick IT solutions, which can exponentially expand an organization’s risk landscape. We highlight four critical steps to help ferret out shadow IT – and its newest iteration, “shadow AI” – to limit the threat.
Blame it on the cloud, the pandemic, the breakdown of centralized IT, the AI revolution, or all of the above, but shadow IT is spinning out of control at many organizations.
Shadow IT – that is, employee use of information technology systems, devices, software, and services without explicit approval or oversight from the IT department – can take many forms: It’s an employee who signs up for the free trial of a new tool. It’s a manager with administrative controls who approves an application for his unit and implements it without IT’s oversight or permission. It’s a new hire with a hybrid work schedule who uses a thumb drive to transport documents from her home office to the company’s office and back again.
And it’s a problem that’s growing fast, Gartner finds. The tech research firm predicts that 75 percent of employees will have acquired, modified, or created technology outside of IT’s visibility within the next three years, up from 41 percent in 2023.
“At this point there’s been a democratization of technology and analytic work at most organizations,” explains Leigh McMullen, distinguished VP analyst at Gartner, in a keynote at the firm’s risk management summit last year. “There’s more happening outside of central IT and divisional IT functions than inside. Shadow IT is now business as usual.”
The massive shift to remote work is a major culprit. “We’ve always had shadow IT, but since the pandemic it’s really exploded with people working remotely and coming up with their own IT solutions,” said Candy Alexander, CISO and cyber risk practice lead at technology advisory company NeuEon, in an exclusive interview with Focal Point.
The explosion of the cloud and software-as-a-service (SaaS) only adds to the problem. And the looming AI revolution makes this an issue enterprises can no longer ignore. “It’s so easy for employees to go and get solutions themselves,” says Alexander. “It’s really out of control.”
[Read also: What is risk management? A simplified overview]
Shadow IT just got stronger – meet ‘shadow AI’
One of the newest concerns about the unsanctioned use of technology in organizations today is shadow AI, or the use of generative AI for creating documents, code, images, and audio. Shadow AI poses the same–or potentially more–risks to organizations as shadow IT.
There’s more happening outside of central IT and divisional IT functions than inside. Shadow IT is now business as usual.
“With the rapid pace of generative AI’s adoption, many organizations have not had the chance to develop guidelines around the use of AI,” says Alexander. The top risks of shadow AI involve the data pool from which the organization is sourcing content. If it’s inaccurate or biased, the results will be, too, potentially causing harm to the organization’s reputation or product reliability.
Take, for example, a scenario where marketing staffers begin using AI-powered social media analytics tools to analyze customer behavior, optimize advertising campaigns, or predict trends. These employees did not obtain approval from the organization to use the AI-powered tools, so they aren’t properly governed and do not have the appropriate security measures in place. Threats from this might include the tool accessing sensitive customer data or proprietary information, which could lead to data breaches, or failing to comply with regulatory requirements such as HIPAA or the EU’s GDPR rules.
Procuring and using these systems, software, services, and devices without approval from IT creates significant challenges for organizations, Alexander says. It places the organization’s data at risk since it’s not known what applications and tools have access to it; it can lead to compliance issues, potentially resulting in legal consequences and financial penalties if specific measures are not met; and it can fuel a fragmented IT environment with disparate systems that don’t integrate seamlessly.
[Read also: 6 reasons why people at your organization are using shadow IT]
“Security in data protection is all about identifying, controlling, and monitoring,” she says. “And there’s no way you can do that when you have employees going out and putting everything everywhere and anywhere. You’ve lost all control over that when you’re not in front of it.”
Hunting for shadow IT
Without the proper tools and procedures, it’s difficult to gauge the extent to which your organization is impacted by shadow IT. However, says Chris Cruz, public sector CIO at Tanium, there are some signs to look for. Shadow IT is common in organizations where resources don’t report to centralized IT, which creates a lack of governance structure and centralized procurement. As a result, these groups tend to make their own decisions, buy their own products, and follow their own protocols, he says.
It’s so easy for employees to go and get solutions themselves.
Other signs of shadow IT include unexplained increases in IT spend, indicating purchases of unauthorized tools or software that aren’t aligned with approved IT projects; federated networks off the central network, which don’t require individuals to be transparent about the decisions they’re making; and, ultimately, security incidents or data breaches that can be linked to unapproved IT solutions.
Keeping shadow IT in check
With the stakes so high, organizations should be taking specific steps to reduce and manage shadow IT, from adopting tools to detect software and applications to involving users in conversations around the technology they use:
1. Invest in asset management and discovery technologies
Asset management tools, which are used to record and track assets in organizations, and asset discovery tools, which scan networks to detect the hardware and software that’s connected to an organization’s network, are two technologies key to cracking down on shadow IT.
[Read also: What is IT asset discovery and inventory?
“Most organizations today don’t know what assets are plugged into the network,” Cruz says. “They don’t know how many endpoints they have or what assets are contained within the network. Without proper asset management and discovery of what’s going on at the endpoint, you can’t manage what you can’t measure.”
At one company of about 120 employees, for example, discovery technologies identified 148 applications that the organization never knew existed in their network, Alexander says. “That’s really just crazy given the size of the organization, but these tools help to bring into focus exactly what’s going on.”
These tools not only help organizations identify unknown endpoints, software, and subscriptions but also save money by decommissioning legacy software, Cruz adds. “Companies might still be paying for software they don’t even use. These tools also help ensure that they’re licensed appropriately for the software they have so no issues pop up when audits happen,” he says.
2. Develop an inventory
After performing a discovery of the tools, hardware, and software, organizations should develop an inventory to determine what’s still being used, whether it’s needed, what redundancies exist, what legacy software can be decommissioned, and what software could be renegotiated, Cruz says.
You can’t manage what you can’t measure.
“Another thing this inventory helps you determine is what software is out there for which people’s credentials still haven’t been decommissioned and may still be able to access critical data,” Cruz says. “This helps you not only with your operational capabilities and addresses ROI, it’s also helping you get your security profile in place and reduce software where you have potential security vulnerabilities that you otherwise couldn’t measure.”
3. Involve the user community
Because employees are at the root of shadow IT, it’s critical that organizations involve them in conversations about the software and tools they’re using, Alexander says. She advises narrowing down the various similar tools or applications into categories with a few choices, then seeking to understand why the community is using them and what they like about them.
“Your first words shouldn’t be ‘No, you can’t do that.’ You need to build the relationship with the business and the user community and really understand why they’re using these tools. Is it because they’ve always used them? Is it because they were told by someone to try them? Is it because the tools the organization has aren’t meeting their needs?” she says. “By getting their input, they feel valued because of the role they’re playing in technology selection.”
4. Prioritize education and training
It’s important for employees to understand that there are protocols they need to follow when they seek to adopt new tools and applications, Cruz says. To reduce shadow IT in organizations, education around those standard operating procedures is paramount, he says.
Our top priority should be to make the secure thing to do the easiest thing to do.
“Users need to be part of the solution, but they also have to understand that everyone has to follow the same policies and procedures for procuring new technology,” he says. “The more we can do that and have that level of communication, partnership, and trust within our organization, we’ll be better off in addressing shadow IT moving forward and ensuring that there are proper policies for everybody to follow.”
In fact, according to Gartner, designing security controls together with the user increases the likelihood of secure behavior by 23%. “We need to become obsessed with the employee experience of cybersecurity,” Gartner’s McMullen advised. “Our top priority should be to make the secure thing to do the easiest thing to do.”
These policies should include stipulations that employees can only use pre-approved applications, however organizations should also provide processes for users to follow to request new applications and tools for evaluation–whether it’s through a dedicated portal or helpdesk ticket, Alexander says. “This is important because you want people to feel they can collaborate in determining what the technology needs are,” she says.
As organizations aim to manage shadow IT, it’s necessary to understand this is an ongoing process, Cruz says. “It’s important to measure, manage, follow up, and make sure that everyone is following common processes and standards, and that they understand the importance of not having unlocked doors within your respective environments,” he says. “I always say that an ounce of prevention is worth a pound of cure, and this is the right way to do that.”