Shadow IT

(OBJ 2.1)

What is Shadow IT?

• Use of information technology systems, devices, software, applications, and services without explicit organizational approval.

• IT-related projects that are managed outside of, and without the knowledge of, the IT department.

• Include anything from:

  • Use of Personal Devices for Work Purposes
  • Installation of Unapproved Software
  • Use of Cloud Services that Have not been approved by the organization

Why does Shadow IT exist?

• An organization's security posture is actually set too high or is too complex for business operations to occur without be negatively affected

• Example:

  • The process to request a second monitor takes about 45 days! that is too much to care about.
  • I can just take a monitor of my own without the organization knowing, this is a Shadow IT device.
  • This could be introducing a whole range of vulnerabilities into the network without even realizing it.

• Other Shadow IT device examples:

  • USB Drive
  • External Hard Drive
  • Keyboard
  • Wired Mouse
  • Network Adapter

• Shadow IT can lead to a lack of standardization across the network which makes the management and strategic planning of your network much more complicated

• Problems can be harder to resolve due to the IT department lack of awareness or understanding of the specific technology deployed by the user.

• Example:

  • A specific user downloading a piece of software to perform some kind of task
  • The software includes some kind of malware
  • This will be a challenge for the IT department to identify the root of the spread of the malware
  • Installation of web browser plugins and extensions can also represent a risk

• Example:

  • Using an external cloud storage service to store sensitive or company-related data

Bring Your Own Devices (BYOD)

• Involves the use of personal devices for work purposes

• Facilitates the rise of Shadow IT in many enterprise networks

• Employees may use their personal laptops, smart phones or tablets the network

• Might not have the required protections that the department enforces in IT-owned devices

• While Shadow IT can drive innovation and efficiency it also poses substantial security risks so organizations must try to strike a healthy balance by developing policies that allow for flexibility and innovation while also data security and compliance.