Shadow IT is a broad term that can refer to any software, hardware or other assets that are procured and utilized without the go-ahead of the IT department. This isn’t a new phenomenon. Workers have always sought ways to get what they want, whether it be consumer applications that are easier to use (but less secure) than enterprise-grade alternatives, or devices that aren’t supported by the company.
Recently, shadow IT has come into its own as a cybersecurity matter. The consumerization of IT along with bring-your-own-device policies, as well as software-as-a-service offerings that are closing the gap with on-premises solutions in terms of functionality and cost, have jeopardized the centralized control of tech departments and created many new vulnerabilities.
Getting a sense of shadow IT’s scope and specific cybersecurity challenges
In a 2013 report from Trend Micro, “Empowering the Business while Efficiently Mitigating Risks,” Trend Micro CEO and cofounder Eva Chen pointed out that one-fifth of enterprise customers use Dropbox – a popular cloud storage and synchronization service for consumers and businesses – and that the overall application landscape has shifted dramatically in just the past decade. For instance, whereas a shop may have once relied exclusively on a suite of Microsoft services for everything from Web browsing to email, now there is widespread fragmentation.
The rise of fully featured mobile operating systems such as Android has only accelerated the rise of shadow IT, by making it possible to use a wide range of services (calendar, email, productivity software) on many different devices. Overall, the scope of shadow IT is impressive, creating fundamental challenges for IT executives and security teams:
- A 2014 Netskope report found that enterprise cloud apps were dominated by storage and social media, with Twitter being the most popular of all. The average enterprise runs 461 of these apps, roughly ten times its IT department’s internal estimates.
- Eight-five percent of cloud apps in the enterprise scored only a “Medium” or below on the Netskope Cloud Confidence Index, a set of metrics for security and business continuity influenced by Cloud Security Alliance guidelines.
- Organizations have firewalls that should be blocking many of these applications. However, more than 90 percent of cloud app activity is in apps that technically should raise exceptions whenever they are used. Employees are successfully skirting in-place security mechanisms.
- A Frost & Sullivan report discovered that more than 80 percent of IT and line-of-business workers used unapproved SaaS apps, while 26 percent of IT departments use at least six of them.
- Stepping back, one could look at shadow IT’s size in this way: It may be tenfold that of known business cloud usage. There’s a huge gap between what organizations think they are using and what conditions are like in reality.
What is so dangerous about shadow IT in the enterprise?
At first glance, shadow IT may seem like a strictly financial or bureaucratic matter. Certainly, it can run up the tab for finance departments that struggle to account for SaaS spending and utilization. However, losing control over IT also weakens security posture, at a time when cyberattacks are ramping up and targeting a broad range of assets beyond just PCs and servers, including mobile devices, embedded sensors and cloud services.
Consider the growing reliance of organizations on cloud computing. The public cloud – the general category encompassing infrastructure, development platforms and software that is managed and delivered by a third-party service provider – has a well earned reputation for porous security. The growth of shadow IT, particularly as it relates to public cloud services for collaboration, storage and social media, is exposing many companies to the sorts of risks that are essentially hidden from everyday view.
Look out for part two of this series to learn more about what kinds of problems shadow IT causes for enterprises.