What lurks behind Shadow IT?

Adiel Lizama
August 16, 2022
4
min
What lurks behind Shadow IT?
Top 5 types of shadow IT in your organization and how to overcome them. (2020, 10 noviembre). [Shadow IT]. Net motions software. https://www.netmotionsoftware.com/blog/products-solutions/top-5-types-of-shadow-it-in-your-organization-and-how-to-overcome-them


In a work environment, Shadow IT can be defined as the use of apps without the approval of the IT department, this is driven by the need to perform our daily tasks in a more convenient or faster way. when looking for a tool, many of us will feel more comfortable using those applications for personal use with which we are more familiar, simpler, and more efficient, leaving aside the protocols and secure applications recommended by the Security or IT team.  While for the departments in charge of monitoring and preserving network security, shadow IT is a risk vector, for the rest of the employees it is an alternative that allows them to work faster and without friction, focusing on the benefits without looking at the potential issues this may cause.

Source: https://www.cloudflare.com/learning/access-management/what-is-shadow-it/

Some Examples

Cloud storage:

One of the most common incidents related to Shadow IT occurs when we have to send very large files by email, when we exceed the limitations of the service, we opt to use some cloud storage solution, often even using our personal accounts, this creates a potential risk of information leakage or unauthorized access to it.

Instant messaging:

Another bad practice that is common is to use instant messaging applications, such as WhatsApp or the chat service of our social network of choice, no doubt this being a personal service can be faster when we need a prompt response from a customer or another department, however, when we use an instant messaging app not approved by the IT team these will not be monitored leaving the user committed to various vulnerabilities that can compromise the integrity of your computer and/or information.

Hardware:

A point that is not as common as the previous ones but that generates the same concerns. This point covers modifications in work equipment, unauthorized external storage devices, or the use of our personal devices to perform our work, being this last one the most common. BYOD or Bring Your Own Device is when we use our personal devices to do our work, commonly cell phones. BYOD can be beneficial for the company, as it is an economical measure and, in many cases, improves user productivity, but not having adequate security protocols can be risky for both the user and the company.

Risks

The risk lies in the fact that many of the applications for personal use are not regulated or monitored by the corresponding department, and even though it does not represent a risk in themselves, they can compromise user or customer information, which is a major problem, especially when this information is regulated, for example, in financial or health cases.  An RSA study shows that 63% of employees use personal accounts to send documents to each other to continue working from home.

Another risk is the loss of information, which can occur at the time an employee leaves the company, It will be difficult to recover the work the employee was doing if he/she is in the habit of using unauthorized applications to communicate and/or store information.

Conclusion

Shadow IT occurs when applications are used without prior authorization, by this I want to focus on the fact that the issue is not in the applications or devices, it is more rooted in the fact of doing so without the explicit consent of the department responsible for safeguarding the security of users, infrastructure and information, which can be easily compromised by perpetuating this bad practice.  Limiting user permissions to install applications on their own or without authorization, is one of the measures commonly taken, but this will not be enough due to the various cloud applications we have access to today, it is necessary to complement these measures with training based on risk awareness, the user must understand the procedure stipulated for the safe use of applications.

Adiel Lizama

Junior Security Engineer

References

Alvarenga, G. (2022, April 22). WHAT IS SHADOW   IT? Retrieved from CROWDSTRIKE:   https://www.crowdstrike.com/cybersecurity-101/cloud-security/shadow-it/#:~:text=Shadow%20IT%20is%20the%20unauthorized,supported%20by%20the%20IT%20department.

Barbosa, D. C. (2020,   August 20). Shadow IT: qué es y cuáles son los riesgos que puede causar a   una empresa. Retrieved from   welivesecurity:   https://www.welivesecurity.com/la-es/2020/08/20/shadow-it-que-es-riesgos-puede-causar-empresa/

EDU, C. (n.d.). What is Shadow IT? Retrieved   from Forcepoint: https://www.forcepoint.com/cyber-edu/shadow-it#:~:text=Shadow%20IT%20is%20the%20use,cloud%2Dbased%20applications%20and%20services.

Perrin-Monlouis, P. (2021, October 20). The   Untold Insider Threat: Office Workers Confess to Everyday Behavior that   Places Sensitive Information at Risk. Retrieved from Edubourse:   https://edubourse.com/finance-actualites-actu-34403/

What is Shadow IT and can it be a problem within   your organization? (2021, July 22).   Retrieved from Systems Engineering: https://blog.systemsengineering.com/blog/what-is-shadow-it-and-can-it-be-a-problem-within-your-organization

Share this post

More blog posts

Let's talk about Quantum Computing
Elisa Sosa
May 24, 2022

Let's talk about Quantum Computing

Quantum computing is a concept known since the twentieth century that seeks to improve the processing of operations performed by a computer.
Let talk about Red Team Exercises
Adiel Lizama
March 15, 2023

Let talk about Red Team Exercises

A Red Team has the responsibility to challenge established defenses and policies, looking for vulnerabilities that can potentially be exploited.
We are looking at the Man-in-the Middle-Attack
Francisco Cosio
August 30, 2022

We are looking at the Man-in-the Middle-Attack

There is the victim, the entity with which the victim is trying to communicate, and the “man in the middle,” who is intercepting the victim’s communications.
Back to blog