Shadow IT, what it is and how to fight it

It is difficult to detect. It is difficult to measure. But it is there, hidden in the shadows of the IT systems used in the company.

‍

Shadow IT is defined as the phenomenon whereby an individual, work groups, business units or entire departments use IT systems and solutions without the sharing, supervision and approval of IT service managers.

This phenomenon can lead to the loss of information or the opening of security holes resulting from the use of unauthorised IT solutions, which are not tested and controlled because they are unknown to IT management.

It goes without saying that it is not possible for the IT department, which is in charge of controlling the corporate infrastructure, to secure something it does not know about.

‍

Why and how does Shadow IT happen?

An amplification of the phenomenon has been seen since companies have had to adapt to the pandemic emergency and the use of massive remote working. To cope with the sudden and enormous demand for remotely usable work tools, companies have had to resort to allowing the use of BYOD (Bring Your Own Device), allowing the use of personal hardware and software devices for work purposes.  

Here are some examples of Shadow IT.

‍

1. Sharing and synchronising personal and corporate data between different types of corporate and personal devices

Sharing can take place through the use of personal storage devices, such as smartphones, USB sticks, external hard disks, or through the use of cloud services for exchanging and storing data outside the company's control. The use of storage systems that are not explicitly approved and without the control of the corporate IT department may lead to a dispersion of corporate know-how and introduce confusion in data management and retrieval, especially after a period of time.

‍

2. Use of private and/or heterogeneous messaging services for the exchange of company information and files between colleagues and co-workers

This habit introduces confusion and poor information management, especially when sharing between teams using inconsistent communication and sharing systems.

‍

3. Use of personal resources by an employee to store corporate information

This practice causes this information to be irretrievably lost to the company, especially in the case of termination of employment. Moreover, the use of personal data storage tools does not allow for centralised data storage and coordinated, unified backup management.

Corporate data stored exclusively on a personal device or service is permanently lost if the device fails or is lost. The theft or loss of a personal device containing a copy of personal company data, in addition to the definitive loss, could bring the event into the category of a data breach.

For the EU Regulation 679/2016 (GDPR), a Data Breach occurs when a 'security breach results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed' (ex Art. 4, pt. 12 EU Reg. 679/2016).

Although the possible incident stems from careless, and possibly unauthorised, behaviour on the part of the employee, the company's personal data subject to the breach is nevertheless, in the first instance, the direct responsibility of the company. It will then be the latter that will be answerable to the Garante or to those directly concerned for the breach.

Further behaviour that falls under the heading of Shadow IT occurs not only when a personal device such as a smartphone, tablet or notebook is connected to the company network, but also when service devices such as switches, access points and wi-fi repeaters are added.

All of these devices, not passing through the IT department's scrutiny, may be misconfigured and, given their connection directly to the company's innermost network, open loopholes in the company's perimeter protection system, potentially allowing unsupervised access to work data.  

Employees and collaborators, in order to complete their work tasks, often use software available directly on the web (SaaS or PaaS) or downloaded and installed directly on their work PCs. These actions, carried out independently and usually not agreed with IT managers, do not allow the necessary checks to be carried out to ensure the minimum security and data protection requirements of the company. In the worst case scenario, the employee could download and use software that has not been properly licensed or modified by third parties in order to bypass copy protection. There is no guarantee that such 'pirated' software, modified and not distributed directly by the manufacturer, does not directly carry viruses or malware.

4. Using the OAuth protocol for authentication to services or applications

The OAuth protocol allows the authentication credentials of a third-party service (e.g. Google G Suite, Microsoft 365, Apple, Facebook, etc.) to be used to access external services or platforms that are not directly connected to the authentication service.

When using this authentication protocol, there is an exchange of data between the person managing the account and the service. If a corporate account (e.g. Google G Suite or Microsoft 365) is used to access an application outside the corporate perimeter, information could potentially be exchanged that introduces unmapped risks.

In most cases, those who use these 'do-it-yourself' solutions act in good faith and out of a lack of information: the user looks for shortcuts to solve problems that prevent them from getting the job done quickly, without considering the security and efficient information management implications.

‍

How to mitigate Shadow IT

IT managers, in addition to implementing all technical and best-practice countermeasures to minimise shadow IT, should, in agreement with the company management, provide company employees and collaborators with an IT regulation that clearly states which policies the user must comply with.  

The regulation must clearly state which company software is authorised to perform the work and what minimum security policies must be adopted to ensure an acceptable level of security and resilience of company data.

Corporate tools must be chosen in a manner that

1. facilitate the performance of work,  
2. do not restrict operations  
3. do not induce the user to seek alternative solutions.  
4. a key factor in the choice of individual productivity software is its use on heterogeneous and mobile devices.

‍

But the crucial point in combating the Shadow IT phenomenon is to increase the culture of security and good data management in users with cyclically repeated training courses.

Users must be encouraged to submit their own problems or shortcomings of the software used in the company to the IT department, instead of seeking solutions on their own.

At the same time, IT department managers must be inclined to listen to users' requests to provide solutions through better use of the software already in the company or, in the case of deficiencies in the solutions already adopted, to evaluate alternative proposals suggested by users. An effective collaboration between users and the IT department, with the screening of new solutions can also be a stimulus to adopt more efficient alternative solutions. The attitude of the IT department must be one of active and receptive listening to user requests. A closed attitude towards suggestions only risks being labelled as the 'Department of NO', and feeding Shadow IT, with the practice of 'do-it-yourself'.

‍