What is Shadow IT?
Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within an organization. It can encompass cloud services, software, and hardware. For several reasons, business and IT/security groups are more at odds than ever before over whether Shadow IT should be considered friend or foe. Let’s look at why this is happening and how application discovery and control can serve as the mediating technology to help reconcile these different perspectives.
The business perspective on Shadow IT
Once thought of as a casual friend, Shadow IT has become a best friend forever across many lines of business. The purchase and adoption of SaaS applications is now an easy task for individuals at home or in the office, and with the continued decentralization of technology decisions, many groups are doing their own thing. This is occurring because business leaders are taking a more active role in technology to align projects more closely with their line-of-business objectives and to receive quicker time to value. In fact, according to IDC, more than 50 percent of technology budgets now sit outside of IT.1
Digital transformation stands out as one of the main driving forces behind Shadow IT acceleration. Digital transformation requirements are often driven by speed and agility concerns, with security considerations a minor or even missing part of the process. Only 37 percent of CIOs and 24 percent of CISOs are involved in directing efforts to ensure a secure digital transformation process.2
The IT/Security perspective on Shadow IT
IT and security departments often view Shadow IT as one of their worst enemies. Serious security gaps frequently result because they don’t know what services and applications are being adopted across their organization. Consider that more than one in five organizations have experienced a cyber event due to an unsanctioned IT resource.3 Eighty-two percent of IT security and C-level respondents have experienced at least one data breach specifically due to a digital transformation initiative.4
But, here’s the rub. While Shadow IT makes it easier for employees to do their jobs, it also makes it easier for attackers to do theirs. Using unsanctioned applications amplifies exposure to threats. Shadow IT resources such as cloud storage applications increase the potential for malware infections. Without adequate security and compliance with laws and regulations, sensitive data is more vulnerable to leakage and theft.
Striking the right balance
So, how do IT and security leaders keep their business safe when Shadow IT is so widespread and risky? Trying to kill Shadow IT completely isn’t a wise option. Many line of business leaders view it as an essential ally to effectively execute mission critical business strategies such as digital transformation. And remember that when someone attacks a friend, (in this case Shadow IT) the attacker often gets attacked.
Securing Shadow IT is a much better case to put forth than restricting Shadow IT. Implementing these three simple steps with App Discovery and control can help make Shadow IT more secure:
- Gain complete visibility into application use across locations and users
- Assess the extent of shadow IT risk in your organization
- Optimize and reduce risk with a combination of enablement and control
You’ll also need to protect your data, including where it’s stored. Cisco Umbrella data loss prevention (DLP) helps organizations reduce the risk of sensitive data exfiltration and defend against losses of customer data, intellectual property, or other types of sensitive information. With Cisco Umbrella cloud malware detection, organizations can additionally scan cloud file storage repositories, detect cloud malware, and delete or quarantine malicious files.
Interested in learning more about these steps? Download our new eBook called Secure Shadow IT: Protect your digital transformation with Cisco Umbrella.
1 IDC IDC, Why the C-Suite Must Be the Digital Dream Team in the Future Enterprise, March 2021
2 Ponemon Institute, Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe, June 2020
3 Forbes Insights, Perception Gaps in Cyber Resilience: Where Are Your Blind Spots? The hidden risks of shadow IT, cloud and cyber insurance
4 Ponemon Institute, Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe, June 2020
5 TNW, Why Shadow IT is the next looming cybersecurity threat, April 2019