An old-time radio show used to start with the promise “The Shadow knows!” Yet when it comes to shadow IT, the problem is the exact opposite. Shadow IT is the stuff employees download onto a business system that IT doesn’t know about, and it can be a big problem.

You may have an IT policy telling employees not to download unsanctioned applications, but they want to boost their productivity, or perhaps they prefer to work with an app they already know and love. So, they get a tool or service that meets their needs without telling IT.

The employee may have the best of intentions. They want to work better for your business. They don’t see the harm in adding that convenient app to their computer. Or they don’t think it’s a big deal to use their own device to complete their work (even if unsanctioned). Maybe they want to be efficient, so they use a personal email account to conduct your business.

Any of these examples are part of Shadow IT, and it’s running rampant. In Frost & Sullivan research, 80% of employees admitted they had used non-approved software. Even 83% of IT workers were using non-vetted Software as a Service (SaaS) applications. So, what’s the big deal? We’ll cover that next.

The Potential Pitfalls with Shadow IT

First, if your business is in a regulated industry, Shadow IT could put you at risk of noncompliance. That unsanctioned device may not be encrypted. Sharing business data over a personal email would be a big no-no in a healthcare or banking space. Shadow IT certainly undermines audit accountability.

It can also drive up IT costs. Say accounting doesn’t know that the business has already paid to use certain software. So, they pay for it again out of their own budget.

If IT is unaware of the Shadow applications or devices, they can’t manage the vulnerabilities. The business doesn’t know customer data or personal identification information about employees is at risk.

And there is greater threat of a data breach or ransomware attack. Employees downloading a third-party app could inadvertently give a hacker access to your network.

Additionally, the business risks losing productivity. The work someone does on a shadow app, for example, could be lost to the company if that employee moves on. IT wouldn’t have access to that account to retrieve the information or files. They don’t even know it is out there on that unknown app or device.

Shine a Light on Shadow IT

Because this IT lingers in the shadows, it can be challenging to coral. Still, there are several steps you can take.

Educate employees about cyber policies.

Create and communicate acceptable use guidelines, and make sure your workers know what your policies are regarding:

• SaaS downloads;
• use of personal devices (e.g. mobile phones, laptops, USB flash drives, portable data storage devices);
• emailing from personal accounts or using messaging apps;
• online document sharing;
• online voice or meeting technology.

Establish clear information classifications distinguishing between public, private, and confidential data. This can help employees recognize they are putting important data at risk when they disregard use policies.

Do a dive to discover Shadow IT.

IT needs to get to know what technology is in use at the business (both on- and off-site). This is more challenging now with people working from home due to COVID-19. Still, a survey of employees and their devices can help gather information about unknowns.

Determine the value of IT discovered.

Don’t overreact. You don’t want to necessarily ban all Shadow IT that you discover. Some of the services could have value. Vet the applications or devices found or reported. Review their connection to private or confidential data or essential network systems. If several employees use an unsanctioned app, you may want to invest in it. With a professional version, your IT team can safely manage the app.

Deliver the IT your people need.

Why are people circumventing your IT policies? Are they are under pressure? Are they are looking to meet an unmet need? Are they are more comfortable with a familiar app or device? It’s important to understand what the employee is aiming to accomplish or why they’ve turned to shadow IT. This can help you identify IT needs and areas where you need to improve.

Shadow IT is data or applications that are outside your business protection. IT can only watch what it knows about. Shadow IT is unsafe and unpredictable.

There’s an app for that! Even for business purposes, you can bet this is the case. Yet a small business may be using online applications without understanding the risks. Here’s help.

Most businesses no longer have all their technology and software solutions on-site. The old cybersecurity perimeter around the IT premises is no longer going to be enough, not with so many applications available to you online and in the cloud.

Think of it this way: a firewall perimeter is like a moat around your business castle. No one could get in without crossing the drawbridge. That worked well before to secure your locally hosted server and desktop computers. Now, though, companies are relying more on cloud vendors and Software as a Service (SaaS), which means hackers could get in without using the drawbridge or crossing the moat. It’s like an alien invasion: cybercriminals teleport in without you even knowing it.

This is a big challenge for cybersecurity. Web apps are different from what you host in your secure company environment. Information is transmitted online. The solution itself is often hosted in the public cloud.

The big breaches so far of 2021 are examples of this threat:

In Ubiquiti’s cloud service for networking equipment and IoT device vendors, a data breach risked untold numbers of usernames, emails, phone numbers, and passwords.

A Microsoft Exchange server breach left more than 30,000 American companies scrambling. The computer giant had to hurry to patch an exploit believed to have originated in China.

An exploit of SolarWinds’s network management platform, Orion, is attributed to Russia. The breach targeted the U.S. Secretary of State and the government departments of Homeland Security and Commerce, plus the Treasury. Microsoft, Intel, Cisco, and Deloitte were also affected.

How to Amp Up Your Web App Security

Step 1: Inventory Your Web Apps

You need to know what you are using to fortify your defenses. This can also mean surveying employees about their use of unauthorized apps (known as Shadow IT). They likely mean no harm, but by downloading third-party apps IT doesn’t know about, they put your protection at risk.

The size or type of Web app doesn’t matter. IT needs to know every application the company and its employees are using.

Step 2: Enhance Security Measures

Turn on multi-factor authentication (MFA). Two-factor authentication (2FA) or similar provides an added barrier for the bad actor. Done right, you can cut the user experience friction and stymy the cybercriminal.

Step 3: Backup Your Data

If the worst does happen, you want immediate access to a backup of your important systems, as it can reduce your downtime. A current backup can also reduce the risk of your having to give in to a ransomware demand.

With cloud-based apps, business owners forget to backup data that was generated in the cloud. You will either want a third-party service to back up the data on your cloud services or to download a copy to a local computer.

Step 4: Track Third-Party Vendor and Cybersecurity News

With the inventory you completed in step 1, you’ll know what apps to follow. You might set an alert for announcements about those brands and “breach.” Also, make sure that your contact information with the third-party vendor is current. That way, you are sure to get any notifications they might make. Plus, immediately install any patches and security updates they provide.

Working with an IT company can help you beef up your security measures. Consider us the brave knights on the barricades helping to keep an eye out for attackers. A managed service provider can inventory your apps and make sure you are working safely. Contact us today at (515)422-1995.