When Fujitsu’s accidental data breach came to light earlier this year it should have been a warning to all organisations about the dangers of shadow IT. It wasn’t even a case of it being just a momentary lapse, either – AWS keys, customer information, and passwords had all been exposed for over a year.
Shadow IT is often characterised by employees using unauthorised IT tools, software, applications or services, and when you consider the wide range of options available today, enterprises can find it extremely difficult to prevent such incidents happening. Despite having seemingly robust cyber defences, the incident demonstrated just how much of a growing menace shadow IT really is, especially for dispersed organisations.
Keeping track of data and where information is stored gets harder when it becomes more fragmented, with users scattered across different locations, made worse by large numbers of remote contractors and third parties who let’s not forget need monitoring too.
Spills such as this can be a goldmine for cybercriminals if they get there first, but it can also lead to regulatory investigation along with substantial fines, reputational damage, loss of business, and even lawsuits. However, minimising, if not eliminating, shadow IT takes a concerted and ongoing effort. For those instances that fall through the cracks there are tools and services to help with detection. But what really helps more than anything is ensuring there are clear usage policies and processes in place which employees are aware of, buy into, and follow to the letter; while you won’t be able to support everyone’s suggestions and preferences, having broad consensus among those doing the work is never a bad thing – having that buy in often makes the difference in stopping people reaching out to unapproved sources.
Enhance Collaboration with Developers and Contractors
Developers often have preferred tools and vendors that they are accustomed to using. What’s more, they may have even become accustomed to using them in a particular (sometimes insecure) way that doesn’t align with your own current security procedures. It’s rare someone purposefully goes out of their way to go against company policy without reason, and that reason might well be frustration with workflow, delays caused by inefficient tooling, or a perceived lack of support from IT or management that leads to their use of alternatives.
As a result one must firstly ensure policies are communicated effectively with all employees (temporary or permanent) and any gripes about restrictions are properly, and respectfully, addressed; there may be a better way to do something after all! If you are the one implementing the policy, speak to the ones doing the work first – including them in the decision will wipe out half the battle. Don’t get me wrong – I speak to my team all the time when defining new services, and let’s not dress it up, some ideas are truly terrible. Every now and then though you strike gold.
The aim is not to inhibit productivity. Code repositories for development and collaboration are valuable tools, if sanctioned and deployed properly. GitHub, for example, has its own robust security features, including two-factor authentication, granular access management, and encryption, as well as scanning capabilities to detect vulnerabilities within coding projects. It just needs to be set up and used correctly.
Nevertheless, confidentiality should always be the default position. Sharing and making code accessible must be controlled and follow strict procedures. It should never be made available in the public domain unless all due diligence checks have been carried out – there are also point blank too many projects floating about in public space that simply do not need to be. Keep them private!
Shadow IT in all departments
Look, I’ll level with you. Developers often get so much stick for this, but the reality is the issue of shadow IT is far more widespread. Other business users across departments also find workarounds to improve efficiency or solve problems without involving IT. This can range from using personal cloud storage for work files to creating financial reports or marketing spreadsheets with unsanctioned applications and with 101 AI helpers out there, the reality of one’s corporate data spattering around cyberspace is all too real.
Additionally, senior managers may authorise purchases of software or cloud services without IT’s knowledge to handle specific business needs quickly. Then there are third parties, consultants and suppliers who might introduce unauthorised tools and systems for one-off project requirements. All of these pose risks if they go unchecked.
Addressing governance around development projects and providing comprehensive training to all departments about the dangers of shadow IT is a must. But organisations will still need to adopt other security measures to deal with those instances that will inevitably slip through the net.
Tracking down spills
Network tools (firewalls/proxies) can in part be useful to highlight large or unusual patterns of data transfers and exfiltration attempts to outside of the organisation at the border, although the age-old question of who exactly is monitoring usage has to be considered. Using threat intelligence and scanning services to monitor public locations commonly used by an organisation can also help ensure appropriate security protocols are being maintained when new repositories are initiated.
However, don’t forget that external security researchers and ethical hackers can also be on your side and can help to discover hidden issues. Simple solutions like setting up a monitored inbox or a web form can enable both internal staff and third parties to report any instance they find directly to the security team. Better still, a bug bounty program, providing financial rewards, will incentivise the ethical hacking community to find and report vulnerabilities and data spills proactively. If it’s not easy to report, and there is no incentive, then simply put it’s not going to happen.
Through a mix of employee awareness and monitoring, both internal and externally, organisations can take steps to reduce the impact of shadow IT. But it does require ongoing vigilance and recognition that it is a widespread issue. Otherwise, the consequence of using an unapproved tool today could easily rear its head sometime in the future. And without a multipronged approach to curb the shadow habit, the possibility of sensitive data, code, or customer information accidentally ending up in the wrong hands is increasingly likely.
