In the pandemic era, many organizations prioritize business continuity at the expense of cybersecurity. Especially in the early days of the pandemic, the focus was on just getting things done – supporting a rapid shift to remote working and new ways of reaching customers. This meant loosening certain policies to support staff as they made major adjustments. It was certainly justifiable before. But as we enter a new phase characterized by the post-pandemic hybrid workplace, it’s also created a whole new layer of opacity for IT teams to deal with. The challenge is that cyber-related risk thrives in the shadows.

Cybersecurity for the hybrid workplace mini-series:
The hybrid workplace: What does it mean for cybersecurity?
Protecting the hybrid workplace through Zero Trust security
Tackling the insider threat to the new hybrid workplace
Why cloud security is the key to unlocking value from hybrid working
Examining threats to device security in the hybrid workplace

The bottom line is that employee use of software and devices outside of the purview of IT could, if left unchecked, become a major threat to your organization. The question is what to do about it, when even the scale of the problem can be difficult to discern.

What is shadow IT?

Shadow IT has been around for years. The umbrella term could refer to any application, solution or hardware used by employees without the consent and control of the IT department. Sometimes these are enterprise-grade technologies, just bought and used without IT’s knowledge. But more often than not they’re consumer tech, which may expose the organization to additional risk.

There are various aspects to shadow IT. It could include:

  • Consumer-grade file storage designed to help workers collaborate more efficiently with each other.
  • Productivity and project management tools that can also boost collaboration and the ability of staff to get through day-to-day tasks.
  • Messaging and email to drive more seamless communication with both work and non-work contacts.
  • Cloud Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) systems, which could be used to host unsanctioned resources.

Why is it happening?

Shadow IT usually comes about because employees are fed up with inefficient corporate IT tools that they feel puts a block on productivity. With the advent of the pandemic, many organizations were forced to allow staff to use their personal devices to work from home. This opened the door to downloads of unsanctioned apps.

It’s compounded by the fact that many staff are ignorant of corporate security policy, or that IT leaders themselves have been forced to suspend such policies to “get things done.” In one recent study, 76 percent of IT teams admit that security was de-prioritized in favor of business continuity during the pandemic, while 91 percent say they felt pressure to compromise security.

The pandemic may also have encouraged greater use of shadow IT because IT teams themselves were less visible to workers. This made it harder for users to check before using new tools and may have psychologically made them more pre-disposed to disobey official policy. A 2020 study claims that over half (56 percent) of global remote workers used a non-work app on a corporate device, and 66 percent uploaded corporate data to it. Nearly a third (29 percent) said they feel they can get away with using a non-work app, as IT-backed solutions are “nonsense.”

The scale of the problem

While pandemic-related BYOD use can partly explain shadow IT risk, it’s not the full story. There’s also a threat from specific business units hosting resources in the corporate IaaS or PaaS cloud that therefore go unaccounted for. The problem here is that many misunderstand the nature of the shared responsibility model in the cloud and assume the service provider (CSP) will take care of security. In fact, securing apps and data is down to the customer organization. And it can’t protect what it can’t see.

Unfortunately, the very nature of shadow IT makes it difficult to understand the true scale of the problem. A 2019 study reveals that 64 percent of US workers had created at least one account without involving IT. Separate research claims that 65 percent of staff working remotely before the pandemic use tools that aren’t sanctioned by IT, while 40 percent of current employees use shadow communication and collaboration solutions. Interestingly, that same study notes that propensity for shadow IT varies with age: only 15 percent of baby boomers say they engage in it, as opposed to 54 percent of millennials.

Why is shadow IT a threat?

What is beyond question is the potential risk that shadow IT can introduce to the organization. In one case from earlier this year, a US contact-tracing company may have exposed the details of 70,000 individuals after employees used Google accounts for sharing info as part of an "unauthorized collaboration channel."

Here’s a quick roundup of the potential risk of shadow IT to organizations:

  • No IT control means software may remain unpatched or misconfigured (e.g., with weak passwords), exposing users and corporate data to attacks
  • No enterprise-grade antimalware or other security solutions protecting shadow IT assets or corporate networks
  • No ability to control accidental or deliberate data leaks/sharing
  • Compliance and auditing challenges
  • Exposure to data loss, as shadow IT apps and data will not be covered by corporate back-up processes
  • Financial and reputational damage stemming from a serious security breach

How to tackle shadow IT

The first stage is understanding the potential scale of the threat. IT teams must be under no illusions that shadow IT is widespread, and could be a serious risk. But it can be mitigated. Consider the following:

  • Design a comprehensive policy for dealing with shadow IT, including a clearly communicated list of approved and non-approved software and hardware, and a process for seeking approval
  • Encourage transparency among employees by educating them about the potential impact of shadow IT and initiating an honest two-way dialog
  • Listen and adapt policies based on employee feedback about what tools work and which don’t. It may be time to revisit policies for the new hybrid working era to better balance security and convenience
  • Use monitoring tools to track down shadow IT use in the enterprise and any risky activity, and take appropriate action with persistent offenders

Shadow IT expands the corporate attack surface and invites cyber-risk. But it’s grown to the size it has because current tooling and policies are often seen as overly restrictive. Fixing it will require IT to adapt its own culture to engage closer with the general workforce.