Shadow IT: The Hidden Insider Threat

Stephen Dye August 19, 2024

When I first ventured into the world of cybersecurity, I was taught that the greatest threat to an organization’s security often comes from within. This “insider threat” typically refers to someone who, with access to sensitive information, deliberately causes harm. However, through experience, I quickly learned that not all insider threats are driven by malice. There is another type that is often overlooked but can be just as dangerous: the well-meaning employee who unknowingly compromises security through the use of shadow IT.

What is Shadow IT?

Shadow IT happens when employees use devices, software, or services—without the green light from the IT department. This can range from accessing work emails on personal devices to using unauthorized software to get a job done faster. While these actions might seem harmless, or even helpful, they can open the door to significant security risks. We all use cloud-based services and mobile apps which have made shadow IT more common- and easier. Employees often turn to these tools to be more productive, bypassing the sometimes slow and cumbersome processes of getting IT approval. Why wait weeks for the IT department to roll out a new tool when you can download an app in seconds that does exactly what you need?

The Well-Meaning Insider

We often focus on malicious insiders, but the well-meaning ones can be just as risky. These are the folks who, thinking they are helping the company, unintentionally create vulnerabilities. They might not grasp the full impact of their actions or understand the risks of sidestepping IT protocols. Imagine this: an employee finds the company’s file-sharing system too slow, so they start using a third-party cloud storage service like Dropbox or Google Drive. Their goal? To work faster and collaborate better. But in doing so, they may inadvertently expose sensitive company data to unauthorized access or breaches.

Similarly, a marketing team might adopt a new analytics tool to track customer engagement. Without proper IT vetting, this tool could introduce vulnerabilities or fail to comply with data protection laws, leading to serious legal and financial issues.

The Risks of Shadow IT

Shadow IT poses numerous risks. It creates blind spots for the IT department, making it hard to see how data is accessed, shared, and stored. This lack of visibility makes it impossible to detect and respond to security incidents quickly. Shadow IT can also lead to data being scattered across multiple platforms, many of which may not meet the organization’s security standards. This not only increases the risk of data breaches but also complicates compliance with regulations like GDPR and HIPAA, but also frameworks to include SoC 2 and ISO 27001, which require strict control over data access and storage.

Another risk is that these unauthorized tools might introduce malware or other malicious software into the network. Many shadow IT applications lack the robust security features of enterprise-grade software, making them easy targets for cybercriminals. Once inside, malware can spread quickly, causing widespread damage. Even something as simple as using a Windows 11 Home version instead of the more secure enterprise version can pose risks.

The Role of IT and Leadership

Dealing with shadow IT requires a thoughtful approach. IT departments need to balance enforcing security policies with enabling employees to be productive. This can be done through education, clear communication, and providing approved tools that meet employees' needs.

Education is key. Employees need to understand the risks of shadow IT and the potential consequences of their actions. Regular training can help build a culture of security awareness, where following IT protocols is seen not as a pain, but as a way to protect the organization’s assets. Clear communication is also crucial. IT teams should collaborate with other departments to understand their needs and challenges. By doing so, they can offer approved solutions that meet business requirements without compromising security. When employees feel their needs are met, they are less likely to seek out unauthorized tools.

But this is not enough. Having held multiple cyber leadership roles, I know that policies, training, and communication only go so far. Monitoring is essential, and it is no surprise that NIST includes monitoring as a key step in their Risk Management Framework (RMF). So how do you monitor for shadow IT? Tools and spot checks are a good start. With the right measures in place, shadow IT can be effectively managed. Here are a few steps that will go a long way:

1. Software and Hardware Allow Lists: Create a “deny all” list with exceptions for approved software and hardware.

2. Data Loss Prevention (DLP): Prevents data from being transferred to non-organization resources.

3. Zero Trust Architecture (ZTA): ZTA brings us much to include strict access control, micro segmentation, device posture assessment, anomaly detection, behavioral analysis, auto-policy enforcement and much, much more!

Conclusion

While the malicious insider will always be a significant threat, we must not overlook the danger posed by well-meaning employees using shadow IT. These individuals, trying to do the right thing, can unknowingly create vulnerabilities that put the entire organization at risk. By understanding the risks, educating employees, and fostering collaboration between IT and other departments, organizations can mitigate the threat of shadow IT and strengthen their security posture.

In a world where the insider threat is often viewed as malicious, it is important to remember that sometimes, the most dangerous threats come from those who simply do not know any better. If you are the CIO, the privacy chief, the risk chief, or the general counsel, you will not want shadow IT in your organization. And as a CISO, I urge you to start hunting for Shadow IT and ensure that you have a solid policy in place to prevent it.

Stephen Dye is the Principal at Uplift Cyber, a cyber security consulting practice, dedicated to ransomware protection advisory, uplifting the cyber security of businesses, and software assurance. He just published the book: Managed Detection and Response Services: A Cyber Stakeholders Guide available on Amazon.

#Cybersecurity, #ShadowIT, #InsiderThreats, #DataSecurity, #ITSecurity, #ZeroTrust, #CyberAwareness, #SecurityRisks, #Infosec, #CISO, #DataProtection, #RiskManagement, #CloudSecurity, #CyberThreats