The Shadow IT threat

Using services and programs that IT doesn’t know about causes problems. We explain how to avoid them.

It is practically impossible to pick software tools that everyone likes. At least one employee always knows of a free service that is ten times better than the company’s choice. If that one person begins to use and actively recommend that other option to coworkers, you have a phenomenon known as Shadow IT. Sometimes, it actually helps the company find a solution that better suits its business needs, but more often than not, it just causes a massive headache.

If people knew any better, they would run their ideas by security first. But we live in an imperfect world, and employees often use file sharing services, Web email applications, social networking clients, or messengers without a second thought and only later, if ever, ponder the consequences.

The problem is not necessarily that the tool might be a new free instant messenger cobbled together on the fly. It might just be a well-established service. The problem is that neither the security specialists, if your company has any, nor IT knows what’s going on. And that means the unsanctioned app is left out of infrastructure threat models, data flow diagrams, and basic planning decisions. And that, in turn, is asking for trouble.

Leak probability

Who knows what pitfalls might lie ahead when using third-party tools? Any application, be it cloud based or locally hosted, can have many subtle settings controlling privacy. And by no means are all employees equally software savvy. Cases abound of an employee leaving tables containing personal data unsecured in Google Documents, for one obvious example.

For another, services can have vulnerabilities through which third parties can gain access to your data. Their authors may close holes promptly, but who will make sure employees install all needed patches for client-side apps? Without IT involvement, you can’t be sure they’ll even get a memo about updating. Also, it is the rare person who takes responsibility for managing access rights in unauthorized applications and services — for example, by revoking privileges after dismissal — if such a feature is even available. In short, no one is responsible for the security of data transmitted or processed using services unapproved by IT or security.

Violation of regulatory requirements

These days, countries around the world have their own laws specifying how businesses should handle personal data. Add to that the many industry standards on that same subject. Companies have to undergo periodic audits to meet the requirements of various regulators. If an audit suddenly discovered that clients’ and employees’ personal data were sent using unreliable services, and IT was oblivious, the company could face a substantial fine. In other words, a company doesn’t need an actual data breach to get in trouble.

Budget down the drain

Using an alternative tool instead of the recommended one may sound like no big deal, but to the company, it represents at best a waste of money. After all, if IT purchases licenses for each approved participant in the workflow, but not everyone actually uses theirs, then it has paid for nothing.

What to do about Shadow IT

Shadow IT needs to be managed, not fought. If you can keep it under control, you can not only improve data security at your company, but you may also find genuinely popular and useful tools that can be deployed company-wide.

Right now, in the midst of the work-from-home pandemic, the risks associated with using unsupported applications and services are increasing. Employees are being forced to adapt to new conditions, and they commonly try to find new tools that they believe are better suited to their telecommuting. Therefore, we added some extra features to the updated version of Kaspersky Endpoint Security Cloud for detecting the use of unapproved cloud services and applications.

What’s more, Kaspersky Endpoint Security Cloud Plus can also block the use of such services and applications. This version of the solution also gives the company access to Kaspersky Security for Microsoft Office 365, which provides an additional layer of protection around Exchange Online, OneDrive, SharePoint Online, and Microsoft Teams.

You can learn more about our solution and purchase it on Kaspersky Endpoint Security Cloud official page.

Tips