Shadow IT: Balancing Efficiency with Security

Shadow IT: Balancing Efficiency with Security

  • By Eric Aarrestad
  • Jun 20, 2016

With great access comes great responsibility, especially with regard to IT security policies. In recent months, discussions around security have evolved to include the growing risks associated with Shadow IT. While the practice of Shadow IT has existed since computing became a staple of the workplace and tech-savvy employees started skirting the rules, the risks of Shadow IT have skyrocketed with the exponential rise of mobile devices and cloud technology.

Shadow IT is greatly propelled by cloud services, where individual employees or work groups within a company deploy these solutions without the approval of their IT department, or without following established security policies.

These apps are easy to install and many employees don’t understand how their behavior can jeopardize the security of the company. This is especially true of millennial employees who, as digital natives, are often perceived as technically proficient despite evidence to the contrary.

Convenience is frequently the motivating factor when an employee decides to bypass IT. If installing a non-approved app will help them get their job done more effectively—and going through sanctioned channels is seen as too complicated or unlikely to result in a positive outcome—then asking for forgiveness becomes easier than asking for permission.

It also doesn’t help that few organizations have a formal policy in place that publicizes white- and black-listed apps internally. With this direction, employees believe they are simply enhancing their productivity without understanding the potential consequences.

Mobile growth has compounded the issue further, as employees seek new ways to bring their work with them out of the office and off the local network. Cloud applications streamline this process, by making data available from any location and device. But what happens when the application has a backdoor that can be used by an attacker to access the corporate network? With network access and data, now accessible through an unauthorized application, and often with IT none the wiser, the risk to the organization is immeasurable.

Considering more than half of employees use two or more work devices, the potential for a data breach increases significantly, as each device becomes a new potential point of entry for attackers.

While CIOs undoubtedly recognize that unauthorized applications are in use in their organization, most CIOs can often underestimate the extent. In a typical enterprise, there are 15 to 20 times more unauthorized cloud applications in use than estimated by their IT department. As company data flows through these applications, tracking that data to ensure that it remains safeguarded becomes impossible. Often this flouting of security can happen just as often within the IT department.

According the results of our recent report, 45% of IT professionals admit to knowingly circumventing security policies at their workplace, while 33% say they have successfully hacked either their own company or that of another organization. Clearly policies related to Shadow IT need to be inclusive of those with privileged access.

All these findings support the idea that a company’s greatest vulnerability is the insider threat.  Bad behavior, human error and social engineering are often at the root of data breaches, and with Shadow IT, these actions can occur either on or off the corporate network, with the same devastating consequences. However, while the threat is rooted in people, so is the solution.

In responding to Shadow IT, companies can start by listening to their employees to learn what they need and provide more corporately-approved options based on that information. With the right tools on offer, a company can curb rogue app installations while increasing productivity.

Educating employees about data security will also help them make informed decisions. Training workshops and security policies can set clear expectations for employees while outlining the real-world consequences of exposing corporate data. Identifying the applications that are supported (or not) is another way to keep the message current and employees informed. Within the IT department, oversight must be maintained over all corporate networks, devices, and data. If a security incident occurs, IT should have a formal response plan in place so that the threat can be swiftly neutralized.  Automated alerts and tools that can be used to remotely freeze or disable compromised endpoints are an essential component of this type of remediation strategy.

Organizations can also contain the risk of Insider Threats by closing gaps in existing vulnerabilities. According to a Forbes Insights report, known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all incidents. A critical step in remediation is to improve the ability to prioritize and fill these security holes which will ultimately reduce your organization’s overall attack surface.

Regardless of whether companies see Shadow IT as a problem to be eliminated or an opportunity to improve practices within an organization, a response is imperative in order to reduce corporate risk.

Featured

  • It Always Rains in Florida

    Over the years, and many trips to various cities, I have experienced some of the craziest memorable things. One thing I always count on when going to Orlando is a massive rainstorm after the tradeshow has concluded the first day. Count on it, it is going to rain Monday evening. Expect that it will be a gully washer. Read Now

    • Industry Events

  • Live from GSX 2024 Preview

    It’s hard to believe, but GSX 2024 is almost here. This year’s show runs from Monday, September 23 to Wednesday, September 25 at the Orange County Convention Center in Orlando, Fla. The Campus Security Today and Security Today staff will be on hand to provide live updates about the security industry’s latest innovations, trends, and products. Whether you’re attending the show or keeping tabs on it from afar, we’ve got you covered. Make sure to follow the Live from GSX page for photos, videos, interviews, product demonstrations, announcements, commentary, and more from the heart of the show floor! Read Now

    • Industry Events

  • Elevate Your Business

    In today’s dynamic business environment, companies specializing in physical security are constantly evolving to remain competitive. One strategic shift these businesses can make to give them the advantage is a full or partial transition to a recurring revenue model, popularly called a subscription service. This approach will bring numerous benefits that not only enhance business stability but also improve customer relationships and drive innovation. Recurring monthly revenue (RMR) or recurring annual revenue (RAR) are two recurring cadence choices that work simply and effectively. Read Now

  • Playing a Crucial Role

    Physical security technology plays a crucial role in detecting and preventing insider cybersecurity threats. While it might seem like a stretch to connect physical security with cyber threats, the two are closely intertwined. Here’s how physical security technology can be leveraged to address both external and internal threats. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3