How shadow IT puts businesses at risk
4 MINUTE READ
Alongside their official network, virtually all companies now have an ‘invisible network’ which consists of ties to various different cloud services that IT and security departments do not know about.
This invisible network is commonly referred to as shadow IT. It arises on an informal basis when employees access cloud services without prior approval. These services may include things like cloud data storage, online application, social media and other websites of every description.
It is true that many services accessed in this informal way do provide a benefit. According to Infosec Island shadow IT contributes a 20% gain in productivity in companies that migrate their operations to the cloud. However, as we will explore in this post, this parallel network exposes businesses to a whole host of security risks.
An increased number of hazards
Shadow IT makes life more difficult for security teams. Not only does it create more possible attack vectors, it also significantly alters the structure of the connections that security teams must monitor in order to safeguard both operations and data.
Traditionally, security teams focused almost all of their attention on incoming traffic. In many instances, they had to actually physically guard IT infrastructure against trespassers or intruders. However, their primary role was to lookout for malicious traffic trying to slip past a malware detector.
While security teams of the past did have think about malicious or careless employee behaviour, these concerns tended to be fairly limited in their scope. For example taking confidential work home on a USB and losing it somewhere.
Today, the scope of these concerns is considerably broader. The potential hazards of outgoing traffic have increased as more data leaves local networks for external storage. It is now all too easy for teams with little understanding of cloud security to open up accounts with services such as Dropbox to store sensitive information without even thinking to notify IT.
Shadow IT needs governance
Having to monitor outgoing as well as incoming traffic is a real challenge due to the sheer volume of information that must be evaluated. Commonly used security tools such as signature analysis to identify malware analysis to identify malware are not up to job.
There is clearly a need for better, automated tools which can give security teams a more comprehensive view into outgoing traffic. But perhaps even more importantly companies need to develop policies to govern the proliferation of the unsanctioned cloud connections that make up shadow IT. According to a risk report published by cloud security company, Skyhigh Networks, even though around 60% of companies have reported introducing a cloud policy, hardly any had an effective way of enforcing it.
As noted in the Infosec Island article, “Roughly two-thirds of services that employees attempt to access are allowed based on policy settings, but most enterprises are still struggling to enforce blocking policies for the one-third in the remaining category that were deemed inappropriate for corporate use due to their high risk.”
When it comes to tackling the problem of shadow IT the first thing companies must do is take the time to define their acceptable use policies for cloud-based services. With this set of guidelines to hand, employees can then be trained on the details of the policy and how they can achieve compliance within their own department. It should be made clear that seemingly harmless interactions with cloud services can open up the business to serious risks.
Discuss this post in Venturi’s Voice Slack Group
To browse our latest jobs, click here