Shadow IT: Balancing Efficiency with Security

Shadow IT: Balancing Efficiency with Security

With great access comes great responsibility, especially with regard to IT security policies. In recent months, discussions around security have evolved to include the growing risks associated with Shadow IT. While the practice of Shadow IT has existed since computing became a staple of the workplace and tech-savvy employees started skirting the rules, the risks of Shadow IT have skyrocketed with the exponential rise of mobile devices and cloud technology.

Shadow IT is greatly propelled by cloud services, where individual employees or work groups within a company deploy these solutions without the approval of their IT department, or without following established security policies.

These apps are easy to install and many employees don’t understand how their behavior can jeopardize the security of the company. This is especially true of millennial employees who, as digital natives, are often perceived as technically proficient despite evidence to the contrary.

Convenience is frequently the motivating factor when an employee decides to bypass IT. If installing a non-approved app will help them get their job done more effectively—and going through sanctioned channels is seen as too complicated or unlikely to result in a positive outcome—then asking for forgiveness becomes easier than asking for permission.

It also doesn’t help that few organizations have a formal policy in place that publicizes white- and black-listed apps internally. With this direction, employees believe they are simply enhancing their productivity without understanding the potential consequences.

Mobile growth has compounded the issue further, as employees seek new ways to bring their work with them out of the office and off the local network. Cloud applications streamline this process, by making data available from any location and device. But what happens when the application has a backdoor that can be used by an attacker to access the corporate network? With network access and data, now accessible through an unauthorized application, and often with IT none the wiser, the risk to the organization is immeasurable.

Considering more than half of employees use two or more work devices, the potential for a data breach increases significantly, as each device becomes a new potential point of entry for attackers.

While CIOs undoubtedly recognize that unauthorized applications are in use in their organization, most CIOs can often underestimate the extent. In a typical enterprise, there are 15 to 20 times more unauthorized cloud applications in use than estimated by their IT department. As company data flows through these applications, tracking that data to ensure that it remains safeguarded becomes impossible. Often this flouting of security can happen just as often within the IT department.

According the results of our recent report, 45% of IT professionals admit to knowingly circumventing security policies at their workplace, while 33% say they have successfully hacked either their own company or that of another organization. Clearly policies related to Shadow IT need to be inclusive of those with privileged access.

All these findings support the idea that a company’s greatest vulnerability is the insider threat.  Bad behavior, human error and social engineering are often at the root of data breaches, and with Shadow IT, these actions can occur either on or off the corporate network, with the same devastating consequences. However, while the threat is rooted in people, so is the solution.

In responding to Shadow IT, companies can start by listening to their employees to learn what they need and provide more corporately-approved options based on that information. With the right tools on offer, a company can curb rogue app installations while increasing productivity.

Educating employees about data security will also help them make informed decisions. Training workshops and security policies can set clear expectations for employees while outlining the real-world consequences of exposing corporate data. Identifying the applications that are supported (or not) is another way to keep the message current and employees informed. Within the IT department, oversight must be maintained over all corporate networks, devices, and data. If a security incident occurs, IT should have a formal response plan in place so that the threat can be swiftly neutralized.  Automated alerts and tools that can be used to remotely freeze or disable compromised endpoints are an essential component of this type of remediation strategy.

Organizations can also contain the risk of Insider Threats by closing gaps in existing vulnerabilities. According to a Forbes Insights report, known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all incidents. A critical step in remediation is to improve the ability to prioritize and fill these security holes which will ultimately reduce your organization’s overall attack surface.

Regardless of whether companies see Shadow IT as a problem to be eliminated or an opportunity to improve practices within an organization, a response is imperative in order to reduce corporate risk.

Featured

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

  • 2025 Security LeadHER Conference Program Announced

    ASIS International and the Security Industry Association (SIA) – the leading membership associations for the security industry – have announced details for the 2025 Security LeadHER conference, a special event dedicated to advancing, connecting and empowering women in the security profession. The third annual Security LeadHER conference will be held Monday, June 9 – Tuesday, June 10, 2025, at the Detroit Marriott Renaissance Center in Detroit, Michigan. This carefully crafted program represents a comprehensive professional development opportunity for women in security this year. To view the full lineup at this year’s event, please visit securityleadher.org. Read Now

    • Industry Events

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.