In our last article, we examined what Shadow IT is. In this article, we examine examples of it, and the specific risks that are posed to a business.
Types of Shadow IT
The following are the areas where Shadow IT is used most widely:
This is probably the most prevalent form. In this scenario, the employee completely disregards the latest software application(s) that are mandated to use; and instead, uses those types that they are most familiar with.
This occurs when an employee disregards the internal controls of the organisation that they work for and take unprecedented actions in order to take quick decisions to get a job task done. An example of this is in the financial brokerage industry. A trader may completely bypass the steps that are required to digitally document and execute the trade, in order to make a quick, but substantial profit.
Information Technology (IT) controls
This happens when an employee completely disregards or even completely disables the existing IT controls that are in place in order to protect the respective infrastructure. A typical example of this is when the employee totally eradicates an antimalware or antispyware software package that is installed onto their workstation, or company issued wireless device.
It could be part of the security policy of the business or corporation that any new data coming in must first be uploaded, and from there, must be analysed by creating custom based queries. If an employee is in a huge time crunch, he or she may completely bypass this step, and download and use some other Cloud-based tool in order to conduct this type of analyses in a much shorter period of time.
Application Protocol Interfaces (APIs)
Many software application development projects are expected to be delivered on time, and even under budget. As a result of this, software developers are under enormous pressure. Instead of making use of preestablished protocols for the actual development of the project, the developers could very well be tempted to use untested and insecure APIs from a third-party source in order to get the application delivered on time.
Networks and devices
This category is probably the second most prone to Shadow Management after using non approved software applications. In this case, rather than logging in through the preestablished means as detailed in the security policy of an organisation, the employee may just use a public Wi-Fi (such as those found in Starbuck’s or Panera Bread) in order to launch the remote session from their computer to the corporate servers. Also, rather than using company issued smartphones (which have the latest software patches and upgrades installed onto it), the employee may just use their own, personal smartphone in order to complete and execute daily job tasks. This is known as “Bring Your Own Device”, or “BYOD” for short, and will be examined in more detail in a future whitepaper.
Risks of Shadow IT
Although employees may think that its advantageous to use the software applications that they are already accustomed to, there are several serious cybersecurity risks that are associated with this. They are as follows:
There is an increased risk of data loss
Because software applications are being used without the knowledge of the IT staff, any kind of information or data that the employee stores in them, will not be backed up on a regular basis, even if at all. If a cyberattack were to impact the business or corporation, this information/data will not be restored, and in the long run, could raise serious questions and even impact the bottom line. This is phenomenon is also referred to as a “data silo.” For example, while the employee may not have a malicious intent, keeping information and data to themselves can also lead to a huge disconnect between what they have, and what other employees have legitimate access to. It is also important to keep in mind that businesses can spend a quite a bit on rolling out new software applications, and because of that, they want to see a quick return on investment (ROI) on it. This is best measured by how quickly employees adapt to and start using them. But if one (or even more) employees insist on using non-authorised software, this can greatly reduce the speed if realising a positive ROI.
Increased risk of backdoors being left open
When an IT department approves and deploys software applications, they very often go through great lengths to fully ensure that are made as secure as possible. This process, in technical terms, is known as “hardening.” In this regard, a lot of effort is taken so that there are no backdoors left behind in which a cyber attacker can easily and covertly penetrate. But when an employee uses a non-authorised software application package, there is no hardening that goes with it. Although he or she may feel confident that the application in question is safe, more than likely it is not. The probability is high is that there is some backdoor that is left open, and thus, the organisation is exposed to the potential of a large scale cyberattack.
Inefficiencies in the current business processes are introduced
During the instances when a new software application is deployed, the IT security team first tests in what is known as a “sandbox environment.” This can be defined specifically as follows:
“Sandboxing solutions provide companies with virtual environments that they can use to build, test, and deploy software. They have grown in popularity due to how accessible they are, the flexibility they provide, and the significant cost savings a company can realise by using them.” (SOURCE: 1).
In other words, it is a sterile testing environment that is completely isolated from the production environment of the rest of the company. The software application is first tested here, to make sure that it is safe to use from a cybersecurity perspective, as well as to make sure it will co-mingle well with the other business and technical processes of the organisation. Once both of these have been deemed to be satisfactory, the new software application is then rolled out into the production environment of the business so that it can be used by all employees. But by using a non-approved software application, the employee puts the organisation at a huge risk that new inefficiencies and bottlenecks could be introduced into the existing processes, because it has not been tested.
New types of cybersecurity threats could be brought in
It is important to keep in mind that all the software applications that have been approved and deployed by the IT department, at least in theory, will be exposed to a regular software patch and firmware upgrade schedule. So at least from this perspective, this should decrease the probability of a cyber attacker from penetrating into one of these software packages. But with unapproved software being used, it is not exposed to this regimen of receiving updates and patches. As a result, if a cyber attacker were to ever penetrate into an employee’s workstation or wireless device, and encounters any of these exposed software packages that are not “hardened” (as described previously), they could deploy all sorts of threat vectors, ranging from Malware to Trojan Horses to Spyware and even Ransomware. Worst yet, they could be transmitted to the entire IT and network infrastructure to the business or organisation, just from this one infected workstation or wireless device.
Serious compliance issues
With the ever-changing cybersecurity threat landscape of today, there have been many new laws and legislations that have been introduced in order to hold business and corporations much more accountable than they ever used to be. This is reflected in the controls and the safeguards they must implement and maintain on a constant basis, especially when it comes to the Personal Identifiable Information (also known as the “PII”) of their customer base. It should be noted that some industries are much more heavily regulated in this aspect, such as healthcare and when it comes to HIPAA. But despite this, all organisations can now be the target of an audit by the regulatory agencies. Of course, all the software applications that are being used will receive a heavy scrutinisation, especially if they have been tested and are kept to up to date with software patches and other relevant upgrades. If there are any violations in this regard, the organisation can be hit with serious fines and penalties. Because of this, when an employee uses non approved software applications, they put the company at a far greater risk of being heavily penalised.
An increase in the level of third-party risks
If an employee downloads and uses a non-approved software application, this also heightens the risk that this could also heighten the chances of an unknown third party into entering your IT and network infrastructure. For example, if an employee downloads non approved mobile application onto their work-related smartphone, this will increase the probability that the company who developed this particular app can gain unauthorized access to your IT Assets through a backdoor.
Our next article will examine a checklist that your business can use to see if you have been impacted by Shadow IT.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.