General

The NCSC has published new guidance on how to identify and reduce the levels of shadow IT in your organisation. Shadow IT refers to the unknown assets that are used within an organisation for business purposes. These assets are not accounted for by asset management, nor aligned with corporate IT processes or policy, and they can pose a risk to your organisation.

What is shadow IT?

Shadow IT refers to the use of unknown assets in an organisation without the knowledge or approval of the IT department. Whilst often thought of in terms of devices, shadow IT also applies to cloud technologies. An example of this would be if users are storing sensitive, enterprise data in their personal cloud accounts.

Reasons for Shadow IT are rarely malicious and can include:

• Lack of sufficient storage space
• Inability to share data with a third party
• Not having access to necessary services (e.g development tools)
• The approved tools or SaaS (software as a service) services not providing the required functionality

Types of shadow IT

Unmanaged devices

This can include:

• An employees personal device on the core enterprise network
• Equipment providing a critical service that is configured incorrectly
• IoT or other smart devices employees have connected without security approval (smart doorbells, printers, etc.)
• Wifi access points to provide coverage or types of access that the organisation has not provided

Unmanaged services

Theses tend to be less well understood than the devices and can include:

• Messaging or video conferencing services that have not been approved, therefore have no monitoring in place
• External cloud storage services to share files with third parties (or to allow staff to work from home using an unauthorised device)
• The usage of third-party tools that could be gathering corporate information

Shadow IT risks

Threats that shadow IT can introduce that are not present on corporate IT include:

• Data Theft

Without control of the services processing data (or devices that hold data), you can’t be sure appropriate backups are being made. This can expose an organisation to the threat of ransomware, legal issues around data handling, reputational damage and recovery costs.

• Exploitation of services or devices

Organisations can be exposed to the threats from malware, network monitoring, and lateral movement as a result of controls to prevent exploitation not being applied. With shadow IT you can’t assume that controls are in place, such as antivirus software or well-configured firewalls.

How to identify and reduce shadow IT

If employees are turning to insecure workarounds to ‘get the job done’ then that would suggest that existing policies need refining so staff aren’t compelled to use shadow IT solutions. The NCSC’s guidance provides a number of recommendations for identifying and reducing shadow IT, including:

Organisational Mitigations

• Anticipate user needs. Avoid unnecessary lockdowns of enterprise IT and implement a process for addressing user requests promptly.
• Provide controlled access to unsanctioned services. This will help to bring shadow IT under control.
• Develop a good cyber security culture of open communication. This will encourage employees to report instances of shadow IT.

Technical Mitigations

There are a range of technologies and commercial solutions that can help organisations manage the risk of shadow IT on the enterprise network. This includes X.509 certification, network scanners, cloud access security brokers (CASBs), secure access secured edge (SASE), and unified endpoint management (UEM). Each of these are broken down in the NCSC guidance.

Conclusion

Most organisations will have some level of shadow IT, but if shadow IT is prevalent, risk management becomes more difficult because you won’t have a full understanding of what you need to protect. Organisations tackling shadow IT should understand that technical controls are only part of the solution. By identifying the user needs of your organisation, you can gain insight into why shadow IT happens in the first place, and then respond strategically to help prevent future instances.

By following the NCSC’s guidance the threats posed by shadow IT can be mitigated. In taking steps to identify and reduce shadow IT, an organisation can help to protect their data, comply with regulations, and improve productivity.

CyberScotland also has helpful resources for staff training that can help reduce shadow IT.