Shadow IT: You Can’t Protect What You Can’t See

The democratization of IT means most users no longer have to beg, borrow or steal to get the technology they want. Anyone with a credit card and an internet connection can line up a cloud-based solution designed specifically for their team or their line of business—and many are doing so with no regard for security. Who should be responsible if something goes wrong?

“Many IT decisions are now distributed throughout the organization at the line-of-business level. From a security point of view, it’s a nightmare scenario,” says Larry Ponemon, founder of the Ponemon Institute, a technology research firm. “People at the business level may not have any knowledge at all about security, and they may be using these tools in ways that put the organization at great risk.” In fact, a recent Forbes Insights survey titled “Perception Gaps in Cyber Resilience: Where Are Your Blind Spots? finds that more than 1 in 5 organizations have experienced a cyber event due to an unsanctioned IT resource.

Executives say they are having a hard time keeping up with the explosion of unsanctioned devices, applications and software. Most organizations run more than 100 different applications, some as many as 1,000. But that number may be only a guess. The direct purchasing of software-as-a-service, personal and business applications and other unsanctioned software by individuals and business units makes it difficult for IT professionals to even know of all the technology or applications used in their organization. It therefore becomes extremely challenging to protect the entire universe of an organization’s data, systems and applications.

When business units can get whatever they need without the knowledge or approval of the IT team, it’s hard to maintain an effective cybersecurity program across the organization. This has played out first with the bring-your-own-device (BYOD) challenge in the smartphone era, then with the Internet of Things (IoT) and cloud services.

“There is always a tension between enterprise control and business unit flexibility,” says James Kaplan, partner and co-leader of IT infrastructure and cybersecurity at McKinsey. Many organizations have figured out either how to create effective enterprise utilities or how to create a high degree of scale and professionalism in each business unit.” This tension is particularly prevalent in companies with a lot of operational technology, such as a hospital, a rail line or a manufacturer, where “for very good reasons, you have all sorts of devices controlled by operational groups and not by IT,” says Kaplan. “But they’re very much a part of the organization’s network.”

The rollout of 5G will connect even more devices and endpoints to the enterprise network. By 2023, Gartner predicts that the number of endpoints managed by the average CIO will triple. Cybersecurity teams will need to prepare for the onslaught of IoT applications that will occur when 5G is widely available, says Steve Hunter, director for Asia Pacific and Japan at ForeScout, a device control platform. “The only way to secure the network is to know exactly what’s connected and how it’s being used. When business units can do this without IT assistance, gaining full visibility becomes complex,” he says. “It’s essential to shine a light into every dark corner of the network now to prevent visibility gaps in the future.”

Network monitoring is one way to see which applications are running and who is running them. Earl Perkins, Gartner research vice president, recommends rolling out an asset discovery, tracking and management program—especially at the start of any IoT project. Organizations can also develop guidelines for devices, cloud services and third-party applications as well as restricted access to some insecure third-party applications—a black list of insecure devices, applications and cloud services.

A zero-trust policy for anyone attempting to log in is another option, especially for sensitive parts of the network. As more devices connect to multiple users, Merritt Maxim, vice president and research director at Forrester Research, suggests shifting the security focus to identity-level control rather than device-level control. By making each user authenticate, rather than setting a standard password for each device, organizations can understand usage patterns and better protect against vulnerabilities and improper use. In the future, more organizations may turn to machine learning to flag unusual log-in attempts.

The Forbes Insights survey finds divided opinions on who should be responsible for shadow IT: the users themselves, the IT department, or the vendors and developers of each application. The problem is when no one takes responsibility.

Ultimately, the only way to improve security for shadow IT is a combination of helping users become more aware and responsive to the potential risks and vulnerabilities of all the technology they use to interact with enterprise systems, as well as deploying more failsafe measures, such as those described above. Organizations should also understand the security protocols for application vendors and developers. Security and disaster recovery teams should include known critical shadow IT in their threat assessments.

“There are a lot of turf issues when it comes to shadow IT,” explains Ponemon. “There are decisions made that can really influence other business units, and there’s not a lot of information sharing that goes on.”

“To conquer resilience issues in the world of shadow IT requires more collaboration internally, not making the line of business the bad guy,” he explains. Users and line-of-business managers need to be part of an overall resilience plan.

To learn more, read “Perception Gaps in Cyber Resilience: Where Are Your Blind Spots?

Forbes Insights is the strategic research and thought leadership practice of Forbes Media. By leveraging proprietary databases of senior-level executives in the Forbes c...