Dealing with software IT hasn’t approved — Shadow IT

Shadow IT has become more common within companies in various industries, mainly through remotely based employees deviating from tools provided by the IT department and looking for more agile alternatives. But while making use of new software and applications may lead to tasks being completed faster, shadow IT does come with the risk of vulnerabilities. In this article, we explore how IT teams can deal with shadow IT, and mitigate security risks while continuing to maintain high performance.

Prioritise collaboration

Cross-department collaboration has become more vital than ever over the past year, and this is no exception when it comes to dealing with shadow IT.

Richard Slater, head of managed services at Amido, explained: “Shadow IT is an interesting problem, it’s certainly of great concern to businesses and the risk of exposure through these practices has risen several notches due to the rise of remote working over the year.

“The trick to countering this issue though is to start saying “yes” rather than defaulting to “no”. Making a concerted effort to understand why teams have deployed unapproved tech fosters a more collaborative culture, and once you have this understanding you can help them in the area that they are trying to help themselves.

“By being more open and honest, you’re encouraging teams to come to you with problems for help implementing secure solutions rather than making the initial problem far worse. Much of the problem around shadow IT comes from the perception that IT teams aren’t attuned to the needs of the organisation, but prioritising collaboration helps to combat this perception and lower the risk of shadow IT.”

How to run a successful IT team in the banking sector

Information Age spoke to Juliette French, the engineering lead for IT and head of core platforms at Lloyd’s Banking Group, about how to run a successful IT team in the banking sector. Read here

Implement visibility

It’s important to implement increased visibility in order to keep the organisation secure, and Steve Bradford, senior vice-president EMEA at Sailpoint, recommends using identity security tools to achieve this.

“When you think of Shadow IT, pictures of monsters who go bump in the night come to mind. But in reality, Shadow IT is a genuine threat to organisations, not a spooky bedtime story to scare the children,” said Bradford.

“How does an IT department get visibility into, and control over, the hundreds of unsanctioned apps (aka Shadow IT) that their workforce is now using? Often, this is 3-4 times more than what IT teams are aware of.

“Teams need to put these worries to rest by implementing strong visibility through identity security. This security practice ensures security and compliance – automatically – while also giving users maximum flexibility as SaaS needs to evolve. It provides IT teams with a real understanding of who has access to what in a system, and where the vulnerabilities lie – making them far better equipped to monitor for or respond to a breach.

“Implementing this is the only secure path forward, and the only way to rest easy with a pint in hand at the end of a long workday.”

Julien Escribe, partner at ISG, added: “The only way to address these risks starts by measuring the degree of usage of shadow IT.

“The market is now mature with technical offerings that will enforce this monitoring. Minimising the risks comes from having a greater network visibility and control on Shadow IT through detection and mitigation.”

Security and scalability

When it comes to overseeing networks operating remotely as well as being office-based, in the case of hybrid workforces, security and scalability needs to be high on the IT agenda.

“To remain competitive, every business needs innovative technology to fit into CI/CD timeline and development cycle,” said Prakash Sinha, senior director, application delivery solutions at Radware.

“If developers can’t get the necessary support from IT, they will seek the required resources from third‐party services. This leads to potential security as well as financial and ownership issues.

“For enterprises with Shadow IT, security and scalability must be a part of IT’s self-service, orchestration, and automation systems that do not require additional effort from those driving adoptions of Shadow IT applications and services.”

Why IT should integrate information security with digital initiatives

This article will explore why information security should be integrated with digital initiatives throughout the organisation. Read here

Reach out to staff

Finally, as well as generally collaborating with employees, it’s a good idea for IT teams to collate and gauge feedback from staff on problems that can be solved internally.

Kevin Reed, CISO at Acronis, said: “Shadow IT appears when employees decide to solve a problem they’re facing – and for some reason, they believe their IT team to be unable to help solve it.

“A good example is Slack – a semi-open platform with all its chats moved to cloud, which appeared over 10 years ago and would never have gotten through any CISO in his/her right mind back then.

“The right course of action is for IT teams is to reach out to employees: to identify their burning needs first – and figure out a way to provide for them securely, without involving any unsecure solutions or platforms.

“To be perfectly honest, I know very few companies who follow this proactive approach – when it should have become standard practice in 2020.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.