Find out exactly what shadow IT is, how it creeps into use by remote workers, its risks, as well as how to mitigate the risks. 

Businesses have cause for security concerns over non-compliant IT in use by remote and office-based workers. In other words, their own devices, applications and software unaligned with corporate policies, particularly around security. 

Shadow, or grey, IT 

Often referred to as ‘shadow’, or ‘grey IT’, due to the ‘unseen’ nature of employees’ own personal tech, by the organisation. This unregulated use of unknown hardware and software by employees, and even, in some cases, whole departments, is known to greatly increase the risks posed by lack of cybersecurity.  

Employees risk organisational security 

While it’s broadly accepted there will always be minor elements of shadow IT in play within, particularly large, organisations, where there is shadow IT, the security risks grow exponentially. And it’s the lack of oversight of apps and personal devices that mean employees effectively take their employees’ online security into their own hands – or not, as the case may be.  

‘Going rogue’ 

Employees ‘going rogue’ and using their own software, hardware and personal-use cloud applications is not, generally, the result of any malicious intent. But often a frustration at the organisation’s unwillingness, delay or lack of capability to innovate working practices. 

Here are some of the other common reasons, employees might ‘go rogue’. 

  • Frustration at lack of storage space 
  • No other means of sharing data with third parties 
  • Lack of sanctioned tools to do the job 
  • Lack of sanctioned conferencing or messaging tool 
  • Long-winded processes for requesting tools and devices 

Use of own IT is not BYOD (Bring Your Own Device) 

There may also be a complete lack of awareness that using own applications and devices is against the rules – which is a management, communication and policy issue.  

While bringing your own device (BYOD) might be sanctioned by the organisation, in many cases, employees may go ahead and do this, without the necessary checks and controls put in place – without adherence to any BYOD policy. 

Common examples of shadow IT 

  • Unapproved, external, third-party storage used to share files 
  • Equipment, servers brought in by employees or contractors, without your organisation’s approval 
  • Any personal device not configured by your organisation 
  • Wi-Fi access points your organisation hasn’t provided 
  • Unapproved messaging / video conferencing applications 
  • Unmanaged cloud platforms used as testing environments by developers 

In summary – use of ANY unauthorised devices, systems or applications out of alignment with your business policies and procedures, are shadow IT and risk online safety and security. 

The risks of shadow IT 

Lack of encryption, backups and allow/deny listings all make your data vulnerable to the threats of ransomware and legal issues around data handling, leading to reputational damage and the costs of recovery. 

When it comes to devices, you can’t assume your controls to mitigate risk are in place, such as well-configured firewalls, antivirus software and multi-factor authentication (MFA). Therefore, threats to your organisation potentially come from malware (including ransomware) and network monitoring. 

Mitigating shadow IT 

Keep in mind employees are usually just trying to get their job done and generally don’t pose an intended threat to your organisation.  

The approach to mitigating shadow IT must be multi-pronged and include: 

  • Getting a robust, efficient process in place for users to request tools, services and devices
  • Anticipating users needs so they never need to resort to shadow IT 
  • Embedding a good cybersecurity-first culture
  • Embedding a process for staff bringing in unsanctioned IT if required 

For advice about effective BYOD policies you can see the National Cyber Security Centre’s guidance and speak to us at Cultrix about setup and implementation. 

For advice about the right IT, tools and security to achieve your business goals, get in touch. Our consultants are never happier than innovating process and technology to improve efficiency and more secure, compliant working.  

< Read more articles on our IT Academy

Business services like IT support, when they work properly, are a true partner to business. Here’s what it’s like when your IT support is a true partner.

Read more

If it can happen to McAfee, UNICEF and eBay…

It’s a wake-up call for brands – the SubdoMailing attack sees 8000 household names’ domains hijacked and exploited. Here’s why and how to protect your brand.

Read more