Is shadow IT an unseen threat in your organisation?

By Professor Danny Myburgh

You’ve no doubt heard the terms dark web, black hat hacking and the ever-present threat of malicious software. What many business leaders are not as familiar with is shadow IT, and yet this is quickly becoming a large—but unnoticed—threat within organisations.

Shadow IT is not at first glance as dangerous as it sounds. It does not refer to anything associated with the dark web, for example. Instead, most employees using shadow IT are doing so without any malevolent intent. But as we know, it’s not deliberate harm that causes most cyberbreaches (at least, not on behalf of employees). It’s human error. According to IBM’s Cost of a Data Breach Report 2023, 95% of cyber breaches are the result of human error, and shadow IT is just one more way hackers can exploit vulnerabilities within your organisation.


What is shadow IT?


First, let’s begin with the obvious question. Shadow IT refers to information technology (IT) systems and solutions built and used inside organisations without explicit organisational approval. It encompasses a range of IT devices, software, applications, services, and infrastructure that are managed outside the purview of the official IT department. Businesses first realised this was happening when employees started choosing to use their own smartphones or Mac Books instead of company devices. The response was Bring Your Own Device (BYOD) policies and multi-factor authentication protocols to access networks, protecting them from unauthorized devices. Since the pandemic, this has largely stopped being a problem because IT infrastructure today is geared towards the idea that people are connecting from outside the perimeter from any number of devices.

However, the rest of shadow IT is on the rise. Employees often turn to shadow IT for a variety of reasons, primarily because they find that the officially sanctioned tools do not meet their needs or because they are looking for greater efficiency and flexibility than what is provided by their organisation’s IT department.

The benefits and dangers of shadow IT

Let’s consider how we all operate on a day-to-day basis. Technology is at the heart of everything we do. We use it to consume content, track our fitness levels, bank on the go and everything in between. Whatever you need to do, there’s an app for that, and ChatGPT has elevated this to a whole new level in the workplace. Not only are employees finding ways to use ChatGPT in their everyday work, but the idea that there is a probably already an AI solution for almost every task or problem is already settling firmly into the collective employee psyche.

On the one hand, this is positive. Employees who use modern technology to free them from repetitive or simple tasks so that they can focus on more high-value work or face-to-face client time is a benefit to the business. But it also comes with significant risks for a number of reasons.

When employees use unsanctioned applications and services, they create vulnerabilities in the organisation’s security posture. These risks include:

Data loss and leakage: Unauthorised applications are not usually subject to the same security measures as approved IT solutions. Sensitive data may not be encrypted or may be stored in locations that do not comply with the organisation’s security policies or regulatory requirements.

Compliance violations: with the Protection of Personal Information Act (POPIA) in full effect, as well as a range of international regulations protecting private personal information (PPI), how data is handled and stored is paramount. IT departments know what is happening in their own organisations, but if they are unaware what data being processed or stored by unsanctioned solutions, it could potentially lead to hefty fines and legal issues. This is not as simple as saying that data is being stored in unsecure locations. Employees could be using extremely well-known cloud solutions. However, if they are beyond IT’s knowledge or mandate, there is a large compliance risk.

There’s an additional threat as well. If each employee is careful about the information they run through a generative AI program, but multiple employees are doing the same thing, the identity and personal information of individuals could inadvertently be pulled together by AI and available for others to access.

Security breaches: Unsanctioned applications may not receive regular updates and patches, making them susceptible to malware, exploits, and other security threats. These breaches can go undetected longer because they occur outside the monitored IT environment. However, even cloud-based applications with high levels of security that regularly update may give hackers a great phishing opportunity. Emails from ‘well known’ technology companies received in personal inboxes won’t be second-guessed if employees use their private email accounts to set up shadow IT profiles. We believe hackers will be increasingly using these applications for social engineering purposes.

Redundancy and inefficiency: Without visibility into all the tools used across the organisation, it’s challenging to ensure that resources are allocated efficiently. This can lead to duplicate spending and inefficiencies, particularly if the sanctioned tools are not being used and organisations are paying licenses per user.

Closing the vulnerability gaps

To protect against the threats posed by shadow IT, businesses can take a number of measures, starting with two key steps: a forensic audit of how employees behave online and the flow of data through an organisation; and a comprehensive education program.

As we mentioned at the beginning of this blog, most employees are not trying to do anything wrong. They simply want to use tools that help them work better and faster. There is an additional element here that suggests business and IT leaders should work together to find the best solutions for their employees. Outdated technology, systems and processes aren’t going to get the job done anymore. With everything available on the cloud, employees will find their own way.

That’s why education and training are so important. Employees should understand the risks they are placing on the business (and customer details) and themselves.

Here are a few additional ways to protect your business against the unsanctioned use of shadow IT:

  • Ensure that the organisation’s official IT solutions are meeting employee needs. Solicit feedback and be willing to adopt new tools that can be securely integrated into the IT infrastructure.
  • Employ tools to monitor network traffic and detect unauthorised applications and devices. Greater visibility helps in early detection of shadow IT practices.
  • Develop a data governance framework that outlines how data should be handled, processed, and stored, including the use of approved applications and services.
  • Create and enforce IT policies that clearly delineate acceptable use of technology. Utilise technical controls to prevent unauthorised access to corporate networks and data.
  • Foster a company culture that prioritizes security, where every employee understands their role in maintaining the organization’s cybersecurity posture.

Work with cybersecurity professionals

By partnering with digital forensic and cybersecurity experts who conduct regular assessments and monitor the network for vulnerabilities, you will be able to identify the use of unauthorised solutions and secure the network against the threats they pose.

The Cyanre family of companies offers a wide range of experts and cybersecurity specialisations and is able to offer end-to-end solutions for traditional and new and upcoming threats.