‘Shadow IT’, usually described as “information-technology systems and solutions built and used inside organizations without explicit organizational approval”, offers cyber-criminals an easy entry point into corporate systems and is now an urgent priority for most UK firms.
In 2016, Gartner predicted that by 2020, a third of attacks experienced by enterprises will have begun on poorly defended Shadow IT networks. Systems using advanced Artificial Intelligence (AI) software, which replicates human behavior to learn about how the people in an organization use data, can now understand and map network changes made on the fly.
Any new network elements that are randomly created outside of an established change control can now be properly managed and secured.
A major part of the problem is that for some years, consumer IT has been leading the IT industry, with innovation in business uses lagging significantly behind those in the consumer sector. Gaming, augmented and virtual reality, and a desire for truly mobile communications constantly drives the IT industry to produce greater efficiencies and conveniences based on technology.
This means that many staff, particularly those younger than 35 who were children of the digital age, are used to being their own IT managers. This makes them far more likely to download applications and software that have not been reviewed by the IT department, and they are also more likely to confuse professional IT functions with personal data usage.
The corporate world has added to the problem considerably by eagerly embracing social media in order to reach out to customers and colleagues, muddying the waters even further.
The final coup de grace to corporate security was the introduction of truly mobile computing with the appearance of affordable smartphones and tablets almost a decade ago. Companies in developed economies have also exacerbated the problem with the widespread adoption of bring-your-own-device (BYOD) policies, which were primarily aimed at saving money.
The resulting blurring between personal and workplace IT functions has opened a Pandora’s Box of cybersecurity woes. Staff routinely download untested applications and open links from unverified sources.
Many also make extensive use of social media to communicate with both friends and work colleagues. Online professional networking can, of course, be hugely beneficial; but it must always be secured and monitored.
Europe’s General Data Protection Regulation (GDPR) has made tackling cybersecurity weaknesses resulting from Shadow It and BYOD an urgent priority. For example, staff who have not received adequate security and/or privacy training might be tempted to use private Google Drive or Dropbox accounts or Microsoft Word Online to write or back up work documents.
All it takes for an organization to be in breach of GDPR is for a single member of staff to decide to back up a spreadsheet containing personal customer data on Dropbox.
The first step in dealing with this mushrooming problem is to identify exactly where and how staff are using unapproved IT and therefore putting the organization’s security and data assets at risk. This should not be carried out in the spirit of an inquisition: staff should not be blamed for reaching out to colleagues or for striving for new efficiencies and shortcuts in their daily labors.
In any case, any attempt to prevent staff for deploying Shadow IT will only result in individual employees trying to cover their tracks with the potentially disastrous consequence of unprotected caches of sensitive data being hidden away from the company’s eyes, but easily accessible to threat actors trawling the web for saleable data.
Nevertheless, an extensive and exhaustive investigation of almost all UK organizations needs to be carried out if they are to not run the risk of the potentially huge damage which a successful data breach can have. Not only in terms of loss of customer and investor confidence and escalating financial costs, but also risking large fines now imposed by the GDPR of up to four percent of company turnover for the most egregious or negligent offenders.
The main artery running through any company’s Shadow IT is personal data flow. It is essential to make full use of the latest algorithmic software, usually referred to as AI, to track the complex and often unpredictable digital trails left by human staff. For the first time, a new technology enables the automated real-time discovery, mapping and tracking of personal data flow.
This effectively means that companies can deploy AI to discover not only where to plug the holes in their cyber defenses, but also to learn more about their employees’ true IT requirements.
It may be that some Shadow IT is actually necessary to fill the gaps in the organization’s IT infrastructure. When staff have genuinely found a more efficient way of operating or utilizing particularly useful bits of kit, their innovation need not be jettisoned but can be adopted and secured in-house.