The UK’s leading cybersecurity agency has released new guidance for system owners and technical staff on how to manage shadow IT in their organization.
Shadow IT refers to the devices and services that employees use for work without the IT department knowing. They could include smart devices, servers, virtual machines, cloud storage and unapproved messaging or collaboration tools.
“Since these are not accounted for by asset management, nor aligned with corporate IT processes or policy, they’re a risk to your organization,” the document warns. “This could result in the exfiltration of sensitive data, or spread malware throughout the organization.”
Read more on shadow IT: Shadow IT Alert: Half of Home Workers Buy Potentially Insecure Kit
Given the potentially serious repercussions of shadow IT, technical teams should focus on finding where it exists in the organization and addressing the underlying causes of it, the NCSC argued.
“It’s important to acknowledge that shadow IT is rarely the result of malicious intent. It’s normally due to staff struggling to use sanctioned tools or processes to complete a specific task,” explained NCSC security researcher, Simon B.
“If they’re resorting to insecure workarounds in order to ‘get the job done’, then this suggests that existing policies need refining so that staff aren’t compelled to make use of shadow IT solutions.”
In fact, reprimanding staff for using unsanctioned devices or services can seriously backfire, the NCSC warned.
“If you blame or punish staff, their peers will be reluctant to tell you about their own unsanctioned practices, and you’ll have even less visibility of the potential risks,” Simon B added.
“For this reason, the guidance also points out the importance of developing a good cybersecurity culture, so that staff will be able to communicate openly about issues (including where current policy or processes are preventing them from working effectively).”
The document shares both organizational mitigations and technical solutions to the shadow IT challenge. The latter includes network access controls, asset management, network scanners, unified endpoint management and Cloud Access Security Broker (CASB) tools.