Hybrid or flexible working seems to benefit some companies and employees. A study from the Pew Charitable Trust shows that working from home is continuing even after most COVID restrictions have been lifted. Many workers found that this suited their lifestyle: the classic example being a lone parent having the flexibility to look after their kids. It seems unlikely that the USA or Europe will return to the previous centralized workplace, which dominated since the 19th century.
However, most companies are not fully cognizant of the perils of the new era. Energy Central has extensively covered the risks of malicious cyber actors and other hazards. One area which should cause concern is “Shadow IT”. This is simply defined as users in your network utilizing unauthorized software in pursuit of their authorized tasks.
Generally, where centralized IT departments supervised work computers, usually desktops, it wasn't possible to download and install unauthorized software, because only someone with admin level privileges could do that. That isn't the case with mobile and cloud related platforms, particularly if the user has supplied their own device, rather that using a company one.
A new publication from the U.K.’s National Cyber Security Center (NCSC) provides guidance to organizations finding issues with shadow IT, which tends to be where employees install apps to do their job better, without realizing this may open up entry points for hackers.
What is Shadow IT, and Why is it a Danger?
Shadow IT is the use of technology systems, software, applications and services within an organization without the explicit approval, knowledge or oversight of the IT department or compliance with the organization’s official IT policies.
The use of Shadow IT has increased over the past few years. During the COVID lockdown in the UK Shadow IT use increased dramatically by 59%, according to managed services company Core. Cisco reports that burgeoning cloud usage has meant that personnel feel comfortable using various cloud applications without bothering to report it to their ICT department. This means that the security – or not – of these applications functions “below the radar” of the company's IT and cybersecurity operations.
There are very real risks to companies, particularly those which comprise critical infrastructure like utilities. Shadow IT could be the vector for theft of sensitive corporate data, or insertion of malware that could lead to severe losses to systems or reputational damage.
Some of the applications that are commonly used are:
-
Video conferencing services
-
Planning or project management services utilized as alternatives to company approved tools
-
External cloud facilities used to store and share files with third parties
-
Apps which facilitate working from home using an unauthorized device
-
Source code stored in third-party repositories
NCSC writes that, “At all times, you should be actively trying to limit the likelihood that shadow IT can or will be created in the future, not just addressing existing instances.” The driver behind the growth of Shadow IT is non-malicious: employees are usually trying to do their job more efficiently, by using software that seems to them superior to authorized apps.
It may be that the company has failed to anticipate a need, and so there is no approved application, so it is hardly the employee's fault if they find they have to use something else.
Companies should set up a policy and process for requests regarding the devices, tools and services the workforce need, so they will not be encouraged to implement their own solutions. Instead, employees should look first to their own IT department for apps that address their professional requirements. All these services should be supervised and monitored.
There is an old IT security saying: “You can't protect what you can't see.” Shadow IT is a vulnerability which must be addressed, even if it is inconvenient for management or workforce.