Have you ever wondered what might be hiding in the shadows of your network? Do you really know what your employees are doing, or whether they’re jeopardizing your institution’s security? You’re not the only one asking these questions. Shadow IT, or the use of unauthorized software, apps and services by employees, is a constant worry for organizations and with good reason. One recent report found that over 80% of apps used in the enterprise aren’t cleared by IT admins. Another, an analysis of government cloud use, suggested the true number of apps in use is ten to twenty times higher than what was reported by IT departments, proving the existence of the shadow IT risk.
These fears are easy to understand, as all kinds of shadow IT activity create attack surfaces that lie in IT administrators blind spots. Widely-used messaging apps like Slack and Skype can leave sensitive communications fully visible and unprotected, and popular productivity services like Box, Dropbox and Google Drive cause endless security headaches when used surreptitiously. Furthermore, this may always be an uphill battle for the organization, as employees prove time and again they won’t be dissuaded from using the platforms they want to, regardless of what IT tells them.
So what’s to be done? The knee-jerk reaction may be to further restrict employee activity and create more stringent policies to prevent unauthorized app use by force. However, we’ve seen firsthand how this usually works out. In 96% of assessments we carry out, employees actively bypass security policies, which means that further locking down the organization will probably have little impact. Plus, excessive restriction can stifle employee productivity by keeping them from the tools that help them do their jobs most efficiently.
While it may seem counterintuitive at first, the mantra of trust, but verify applies here. Simply using an unauthorized app isn’t a red flag in itself–it’s all about having the proper context on what it is being used for. At the same time, incorporating a more liberal policy without making fundamental changes to organizational security does nothing to address the inherent risks of Shadow IT.
These considerations can be distilled into two easy steps for reassessing your approach to Shadow IT. First, embrace the inevitable: employee software usage will never be fully contained to your list of approved apps, so you might as well by lift restrictions and let employees to do their jobs in the most efficient ways. Second, make sure this is followed by increasing awareness of unusual or risky patterns in user activity by deploying a way to track for insider threats– something we maintain is best done through an endpoint agent that fully respects employee privacy, while ensuring organizational security. This will make it readily apparent which instances of Shadow IT are being used safely and productively, and which are risky — or even potentially malicious.
Continuing to audit and restrict user access is a futile and damaging approach to containing the ever-present Shadow IT risk. But this doesn’t have to be a black or white situation. Through the use of sophisticated endpoint analytics, security teams can win the war by allowing users to maintain the access they need to be productive, yet allow security teams to define, detect and address the threats that these open policies will inevitably introduce. Accept that shadow IT will never be fully eliminated, stop wasting time trying to enforce unenforceable policies, and shift your focus to pinpointing which risks pose a legitimate threat.
Need a partner in the battle? Identifying threats is what makes us tick. We can help.