Shadow IT and the extra risk it presents
What is 'shadow' IT and should I be scared of it?
Shadow IT is a common problem across all varieties of Enterprise today and can be a serious security risk. In many big organizations 'shadow' IT evolves to work around shortcomings, either perceived or real, in company IT systems and typically happens when solutions or systems get deployed by departments other than the central IT team. And yes, you should be scared - it's one of the biggest insider threats that there is when it comes to system vulnerabilities.
It's not unusual for companies to have IT skills in many functions, not just within the actual IT function - and while it can be helpful to have super-users, it can also be a massive risk when some of these often well-intentioned employees end up customizing existing solutions or even worse, deploying new ones you didn't even know about, resulting in a fragmented application landscape without any consistency with IT policy or adherence to the security model. Governance? What governance?
It's true that IT departments can often be a source of frustration to their user base who simply wants a more agile approach to doing their knowledge-worker job. While IT may be constrained by both budget and resource centrally, effectively unable to deliver in many cases, departmental resources can spring up and 'build it themselves' - Access databases, anyone? Can't get a timely response from your internal IT team? If your company 'has a guy' who can help with that, you might have a shadow IT problem.
While Shadow IT can sometimes be a source of innovation when it comes to prototyping and user acceptance testing, the overall increase in security risks are where things can easily get out of hand. Some of the more damaging recent public data breaches have been linked to shadow IT within an organization not following the appropriate security protocols and publishing application extensions internally that resulted in an eventual exploit. And then there's the cost problem - it's interesting to note that shadow IT is also one of the biggest cost risks to an enterprise, frequently representing 30% - 40% of all total IT spend within an organization.
When unsanctioned apps are used in an organization, or worse, developed outside the control of IT, the results can be disastrous, with tools in play on a network that are undocumented, unmonitored and uncontrolled, creating serious security blind spots that will never be remediated. Infected systems, data loss, industrial espionage - all possible outcomes when shadow IT is a problem.
Fortunately, like with many Information Security challenges, there are ways to mitigate the risk associated with Shadow IT. We can help.