Despite years of modernisation initiatives, CISOs are still contending with an old-school problem: shadow IT, technology that operates within an enterprise but is not officially sanctioned — or on the radar of — the IT department.
Unvetted software, services, and equipment can be nightmare fuel for a security team, potentially introducing a lurking host of vulnerabilities, entry points for bad actors, and malware.
In fact, it is as big a problem as ever and may even worsen. Consider the figures from research firm Gartner, which found that 41% of employees acquired, modified, or created technology outside of IT’s visibility in 2022 and expects that number to climb to 75% by 2027.
Meanwhile, the 2023 shadow IT and project management survey from technology review platform Capterra, found that 57% of small and midsize businesses have had high-impact shadow IT efforts occurring outside the purview of their IT departments.
Experts say that a shift in what comprises shadow IT and who is responsible for it is driving such statistics. In the early days, shadow IT might have been an unsanctioned server that a developer set up for skunk works. Later, it was systems implemented by business unit leaders without IT involvement because they favored a particular vendor or application over the one deployed and maintained by IT.
Although those earlier forms of shadow IT created risk, the main worries in such examples were additional work and costs that the extra systems added to the organisation’s technology bill as well as the inevitable absorption of the shadow systems into the official IT department portfolio.
Today, shadow IT is broader and more pervasive, and it’s being brought into the organisation by a growing number of employees who are capable of quickly and easily launching tech products and services for their workplace needs without consulting IT or the security team.
Shadow IT today is like “10,000 flowers blooming”
“Shadow IT is back, and it’s back in a big way. But it’s different today. It’s individual employees creating, acquiring, and adapting technology for work. These people have become technologists,” says Chris Mixter, a research vice president with Gartner. “Now shadow IT is like 10,000 flowers blooming. And you can’t stop it. You can’t say to the employees, ‘Stop doing that,’ because you as security don’t even know what they’re doing.”
A mix of tech products and services constitutes shadow IT today. IT can still be comprised of a few unauthorised servers tucked away somewhere, but the ease of operation of modern software means it’s more likely to be made up of more substantial and pervasive technology deployments. Cloud-based and software-as-a-service applications set up by a business unit or even a single employee are common culprits.
“Cloud has made shadow IT easier to exist because in the past when you used to have to procure hardware and know how to get a network connection, there was a barrier to entry. Cloud has lowered that barrier,” says Joe Nocera, leader of the Cyber Privacy Innovation Institute at professional services firm PwC.
IoT interfaces and undocumented APIs add to the shadow IT danger
Of course, the cloud isn’t the only factor in today’s shadow IT. The ease of deploying internet of things (IoT) components and other endpoint devices also contributes to the problem.
Undocumented, non-tracked third-party application programming interfaces (APIs) are another type of shadow IT that has become common within many organisations. A May 2023 report from tech company Cequence Security found that 68% of the organisations analysed had exposed shadow APIs.
The ease of accessing cloud resources is certainly a contributing factor to the proliferation of shadow IT today. “You have all these things where all you need [to deploy them] is a credit card — or not, sometimes they’re just free,” says Raffi Jamgotchian, CEO of Triada Networks, an IT and cybersecurity services firm. That ease of access, however, belies the serious risks that shadow IT now presents.
Jamgotchian says workers typically don’t know whether or what security layers the applications they’re buying have or whether anything needs to be added to them to make them secure. Then, to make things worse, they’re often putting sensitive data into these applications to get their work done.
As a result, these workers are creating entry points that hackers can use to access the enterprise IT environment to launch all sorts of attacks. They’re also exposing proprietary data to leaks and possible theft. And they’re possibly violating data security and privacy regulatory requirements in the process.
Shadow IT can increase compliance and regulatory issues
Jamgotchian worked with one company fined by a regulatory agency because the apps being used by workers did not adequately secure and archive data as required by law; in that case, the company’s manager had given workers tacit approval to download and work with apps outside IT’s (and, thus, the security department’s) view, which resulted in the compliance violation.
Furthermore, experts say shadow IT greatly increases the chances that products and services as well as the vendors selling them are excluded from any due diligence review, as IT and security are excluded from the selection process. “This is part of the challenge when people are using these applications without asking if they’re from a trusted vendor,” says Joseph Nwankpa, an associate professor of information systems and analytics at Miami University’s Farmer School of Business.
The resulting cybersecurity risks are significant. Take the findings from a 2022 report by Cequence Security that noted 5 billion of the 16.7 billion malicious requests observed, or 31%, targeted unknown, unmanaged, and unprotected APIs. Capterra’s 2023 study found that 76% of the responding small and medium-sized businesses reported that shadow IT efforts posed moderate to severe cybersecurity threats to the business.
Lack of security review is shadow IT’s biggest problem
And Gartner found that business technologists, those business unit employees who create and bring in new technologies, are 1.8 times more likely than other employees to behave insecurely across all behaviors.
“Cloud has made it very easy for everyone to get the tools they want but the really bad thing is there is no security review, so it’s creating an extraordinary risk to most businesses, and many don’t even know it’s happening,” says Candy Alexander, CISO at NeuEon and president of Information Systems Security Association (ISSA) International.
To minimise the risks of shadow IT, CISOs need to first understand the scope of the situation within their enterprise. “You have to be aware of how much it has spread in your company,” says Pierre-Martin Tardif, a cybersecurity professor at Université de Sherbrooke and a member of the Emerging Trends Working Group with the professional IT governance association ISACA. Technologies such as SaaS management tools, data loss prevention solutions, and scanning capabilities all help identify unsanctioned applications and devices within the enterprise.
Look for spending that points to unauthorised technology use
Jon France, CISO at (ISC)², a nonprofit training and certification organisation, says he advises CISOs to also work with their organisation’s procurement team and finance department to spot spending that could point to shadow IT. He says scanning worker expense reports is particularly useful in uncovering shadow IT because it helps find reimbursement requests for tech spending that is too small to go through the procurement process.
France and others say CISOs also need to educate workers on security risks posed by shadow IT, but temper expectations on how well that awareness training will help prevent it, Mixter says. He says most workers know the security risks they’re creating but move forward with their plans anyway: Gartner research shows that 69% of employees intentionally bypassed cybersecurity guidance in the last 12 months.
Educate employees about how to onboard new tech
Mixter says workers who deploy shadow IT aren’t malicious in their activities. Rather, they are trying to get their job done more efficiently and looking for tools to help them accomplish that goal. This is why, in addition to awareness training, CISOs should work to empower them by building up their security competence.
“CISOs need to shift to competence building, to ‘Let me help you figure out how to do that safely,’” Mixter says. According to Mixter, that means:
- Developing guidance targeted at business technologists.
- Offering options for business technologists to secure their work.
- Helping business technologists gain relevant security certifications.
- Integrating cybersecurity solutions into business technologist workflows.
- Building policies that explicitly cover business technologist activities.
“CISOs have to figure out how much security skill they need, understanding that they can’t make everyone into a security specialist so they must determine what is the minimum competency they need,” Mixter says.
That work pays off, he adds. Gartner has found that those with training targeted to their technology-related activities are more are 2.5 times more likely to avoid introducing additional cyber risk and more than twice as likely to move faster than those business technologists without such training.