Cloud Hosting

Despite years of modernization initiatives, CISOs are still contending with an old-school problem: shadow IT, technology that operates within an enterprise but is not officially sanctioned or on the radar of the IT department. Unvetted software, services, and equipment can be nightmare fuel for a security team, potentially introducing a lurking host of vulnerabilities, entry points for bad actors, and malware.

In fact, it is as big a problem as ever and may even worsen. Consider the figures from research firm Gartner, which found that 41% of employees acquired, modified, or created technology outside of ITs visibility in 2022 and expects that number to climb to 75% by 2027. Meanwhile, the 2023 shadow IT and project management survey from technology review platform Capterra, found that 57% of small and midsize businesses have had high-impact shadow IT efforts occurring outside the purview of their IT departments.

Experts say that a shift in what comprises shadow IT and who is responsible for it is driving such statistics. In the early days, shadow IT might have been an unsanctioned server that a developer set up for skunk works. Later, it was systems implemented by business unit leaders without IT involvement because they favored a particular vendor or application over the one deployed and maintained by IT.

Although those earlier forms of shadow IT created risk, the main worries in such examples were additional work and costs that the extra systems added to the organizations technology bill as well as the inevitable absorption of the shadow systems into the official IT department portfolio.

Today, shadow IT is broader and more pervasive, and its being brought into the organization by a growing number of employees who are capable of quickly and easily launching tech products and services for their workplace needs without consulting IT or the security team.

Shadow IT is back, and its back in a big way. But its different today. Its individual employees creating, acquiring, and adapting technology for work. These people have become technologists, says Chris Mixter, a research vice president with Gartner. Now shadow IT is like 10,000 flowers blooming. And you cant stop it. You cant say to the employees, Stop doing that, because you as security dont even know what theyre doing.

A mix of tech products and services constitutes shadow IT today. IT can still be comprised of a few unauthorized servers tucked away somewhere, but the ease of operation of modern software means its more likely to be made up of more substantial and pervasive technology deployments. Cloud-based and software-as-a-service applications set up by a business unit or even a single employee are common culprits.

Cloud has made shadow IT easier to exist because in the past when you used to have to procure hardware and know how to get a network connection, there was a barrier to entry. Cloud has lowered that barrier, says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at professional services firm PwC.

Of course, the cloud isnt the only factor in todays shadow IT. The ease of deploying internet of things (IoT) components and other endpoint devices also contributes to the problem.

Undocumented, non-tracked third-party application programming interfaces (APIs) are another type of shadow IT that has become common within many organizations. A May 2023 report from tech company Cequence Security found that 68% of the organizations analyzed had exposed shadow APIs.

The ease of accessing cloud resources is certainly a contributing factor to the proliferation of shadow IT today. You have all these things where all you need [to deploy them] is a credit card or not, sometimes theyre just free, says Raffi Jamgotchian, CEO of Triada Networks, an IT and cybersecurity services firm. That ease of access, however, belies the serious risks that shadow IT now presents.

Jamgotchian says workers typically dont know whether or what security layers the applications theyre buying have or whether anything needs to be added to them to make them secure. Then, to make things worse, theyre often putting sensitive data into these applications to get their work done.

As a result, these workers are creating entry points that hackers can use to access the enterprise IT environment to launch all sorts of attacks. Theyre also exposing proprietary data to leaks and possible theft. And theyre possibly violating data security and privacy regulatory requirements in the process.

Jamgotchian worked with one company fined by a regulatory agency because the apps being used by workers did not adequately secure and archive data as required by law; in that case, the companys manager had given workers tacit approval to download and work with apps outside ITs (and, thus, the security departments) view, which resulted in the compliance violation.

Furthermore, experts say shadow IT greatly increases the chances that products and services as well as the vendors selling them are excluded from any due diligence review, as IT and security are excluded from the selection process. This is part of the challenge when people are using these applications without asking if theyre from a trusted vendor, says Joseph Nwankpa, an associate professor of information systems and analytics at Miami Universitys Farmer School of Business.

The resulting cybersecurity risks are significant. Take the findings from a 2022 report by Cequence Security that noted 5 billion of the 16.7 billion malicious requests observed, or 31%, targeted unknown, unmanaged, and unprotected APIs. Capterras 2023 study found that 76% of the responding small and medium-sized businesses reported that shadow IT efforts posed moderate to severe cybersecurity threats to the business.

And Gartner found that business technologists, those business unit employees who create and bring in new technologies, are 1.8 times more likely than other employees to behave insecurely across all behaviors.

Cloud has made it very easy for everyone to get the tools they want but the really bad thing is there is no security review, so its creating an extraordinary risk to most businesses, and many dont even know its happening, says Candy Alexander, CISO at NeuEon and president of Information Systems Security Association (ISSA) International.

To minimize the risks of shadow IT, CISOs need to first understand the scope of the situation within their enterprise. You have to be aware of how much it has spread in your company, says Pierre-Martin Tardif, a cybersecurity professor at Universit de Sherbrooke and a member of the Emerging Trends Working Group with the professional IT governance association ISACA. Technologies such as SaaS management tools, data loss prevention solutions, and scanning capabilities all help identify unsanctioned applications and devices within the enterprise.

Jon France, CISO at (ISC), a nonprofit training and certification organization, says he advises CISOs to also work with their organizations procurement team and finance department to spot spending that could point to shadow IT. He says scanning worker expense reports is particularly useful in uncovering shadow IT because it helps find reimbursement requests for tech spending that is too small to go through the procurement process.

France and others say CISOs also need to educate workers on security risks posed by shadow IT, but temper expectations on how well that awareness training will help prevent it, Mixter says. He says most workers know the security risks theyre creating but move forward with their plans anyway: Gartner research shows that 69% of employees intentionally bypassed cybersecurity guidance in the last 12 months.

Mixter says workers who deploy shadow IT arent malicious in their activities. Rather, they are trying to get their job done more efficiently and looking for tools to help them accomplish that goal. This is why, in addition to awareness training, CISOs should work to empower them by building up their security competence.

CISOs need to shift to competence building, to Let me help you figure out how to do that safely, Mixter says. According to Mixter, that means:

CISOs have to figure out how much security skill they need, understanding that they cant make everyone into a security specialist so they must determine what is the minimum competency they need, Mixter says.

That work pays off, he adds. Gartner has found that those with training targeted to their technology-related activities are more are 2.5 times more likely to avoid introducing additional cyber risk and more than twice as likely to move faster than those business technologists without such training.

View original post here:
Shadow IT is increasing and so are the associated security risks - CSO Online