More than 40% of file-sharing traffic is now going through unapproved services, Awake reports. Here’s why you need to be aware of shadow IT within your business

For network administrators, 2020 was a rollercoaster year. Back when the first work-from-home (WFH) orders were issued last spring, there was panic that corporate networks were simply not configured to be used by remote workers safely en masse. Then came the summer and fall. There was a period of respite and faint hope; it seemed that many employees understood the principles of network security and had become familiar with how to work safely at home.

Now, as we are immersed in another year of the pandemic — and another year where many employees will work from home — comes a horrible realization. The reason why there were so few help desk calls in the last few months wasn’t because employees have learned how to use remote work systems. Rather, it is because they’ve learned how to get around them using shadow IT.

Awake reports that the use of unauthorized “remote access tools increased by 75% from January to March” in 2020, and that this surge in shadow IT usage can be attributed to COVID-19-related alterations to work routines. This is likely because employees turn to unauthorized third-party software to do their jobs remotely.

In this article, I’ll argue that instead of representing a crisis, this development is an opportunity for businesses. If we use this year correctly, we can rethink how we approach shadow IT and make enterprise networks more secure than they have ever been.

Let’s hash it out.

Why Shadow IT Is a Concern for Businesses

First, let’s get some definitions out of the way for those readers who may be new to network security and its sometimes obtuse nomenclature. As we explain in our article defining shadow IT: 

“When your employees use software or hardware at work that your IT or security team is unaware of – that’s shadow IT. Calling the use of these tools ‘unsanctioned’ might be a bit strong, but either way, employees have neglected to go through the proper channels and notify the right parties.”

Some examples of shadow IT include:

• Cloud storage services such as Google Drive and Dropbox. Employees commonly use these to store corporate data (knowingly or otherwise).
• Commonly used workplace productivity apps. Some examples include programs like Trello, Slack, and Asana.
• Chat and communication apps. This can include apps such as WhatsApp, Zoom, Skype, and any other VoIP software.
• Employees’ own physical devices. This isn’t limited to just flash drives and external drives; it also includes the hard drives within their personal devices.

Let’s also point out, right from the get-go, that shadow IT has become a huge problem for enterprise cybersecurity. The truth of the matter is that most companies are extremely bad at protecting their infrastructure from access by unauthorized programs. Shadow IT remains one of the most persistent security threats faced by enterprise networks — pandemic or not.

The risks associated with shadow IT are wide-ranging but can be broken into four main areas:

1. Software Asset Management (SAM). Ideally, administrators will have oversight and control over all of the software used within their organization. Widespread use of shadow IT makes this all but impossible.
2. Compliance: Companies can spend many months, and huge amounts of money, reaching compliance with data privacy, security, and management frameworks. A single insecure shadow IT system can undermine this work, and risk fines for non-compliance.
3. Testing: Shadow IT systems and devices might be incompatible with existing, approved systems, and can even lead to system failures if used alongside them. 
4. Configuration management: Creating a configuration management database (CMDB) is a large portion of most system administrators’ jobs. Using shadow IT systems can make cross-platform configuration impossible, which can, in turn, lead to security vulnerabilities.

However, it’s also important to recognize why the use of shadow IT is spiking now and why employees are turning to unauthorized hardware and software. 

The truth is that IT operations staff bear a degree of culpability for the current spike in shadow IT usage. Back at the beginning of the pandemic, managers turned to IT staff to provide communications tools for newly remote employees. IT departments responded in the way they know best — expanding the user base of existing tools and systems, opening them up to external users.

Unfortunately, this didn’t always work. In many cases, systems designed for the occasional conference call between executives simply couldn’t deal with the expansion in network traffic and became too slow to be usable. In other situations, it was simply the lack of training (or the lack of time to deliver training) that meant that employees found these systems too complex or cumbersome for their everyday needs. 

Understandably, this led them to turn to third-party tools to keep in touch with work colleagues and make their jobs easier in other ways. 

But what can businesses do to help mitigate this issue? I’ve outlined a few steps you can take to help decrease reliance on shadow IT tools.

To Avoid Shadow Tools, Emphasize User Experience

Shadow Tools

Look at the rise in shadow IT this way and it starts to look like a usability problem rather than one that relates strictly to network security. In my view, the reason why shadow IT has been such a prevalent issue has not been well understood by IT staff. Staff techs are accustomed to complex systems and tend to think of the users they manage as being willingly mischievous. 

Take, for example, staff who use iMessage to set up a corporate meeting rather than your bespoke internal communication tool. They are probably doing so because iMessage is simply easier to use than the secure alternative, or it offers functionalities that your more secure system doesn’t.

With this in mind, enterprise IT admins may need to change their approach. Instead of trying to limit access to insecure systems, we should instead focus on making secure systems more usable.

This is, in fact, an approach that is well developed in the consumer tech market. Many browsers now warn users about insecure login pages, for instance, rather than shutting off access to them entirely. Another approach to the problem can be seen in the conventional “wisdom” that claims that Macs don’t get viruses. Actually, they do, but Apple designers choose not to tell us about every virus they encounter and defeat – just those security risks that require user actions to remedy. The goal is to not badger users to the brink of insanity through repetitious warnings but rather empower them to interact with these systems in a secure way.

In practice, applying this kind of insight means implementing a number of approaches:

• Focus on usability and function. This should form a principal part of your software acquisition and testing process. Instead of looking to just the technical abilities of a piece of software, end users should be consulted on whether it provides the functionalities they require.
• Expand functionality through existing tools. Network admins should also seek to provide the widest functionality possible through existing tools while ensuring they’re used in a secure way. One way of doing this is to verify that access controls and privileges are properly assessed and implemented and provide an adequate level of functionality for each staff group.
• Emphasize certificate management. Applying a more complex set of access and privilege controls might be difficult in large organizations. This is why, when it comes to managing SSL/TLS certificates and digital certificate keys, administrators should consider using a certificate management tool that gives them greater visibility as to what certificates they have and where.