office computer in shadows for dangers of shadow i.t.

What are the Dangers of Shadow I.T.?

Cassidy,
RMM Administrator

Cassidy of Infinity, Inc.

We all find ourselves bottlenecked by the way we do things at work from time to time, don’t we? Sometimes it’s caused by a process, or sometimes an application or the equipment we use.  Many times we think there is a better solution, ‘if only I could use that application or web service that I use at home.’ Because how we tend to do things in our personal lives is entirely up to us. We can choose fast and easy without having to consider other factors. So when we feel pressured to get something done at work, we can easily shift into finding our own solution to a problem and ignoring the way things are supposed to be done. While this doesn’t always cause issues, and can even increase productivity at times, it does lead to an underlying issue known as Shadow I.T. And that can result in situations that the I.T. team hasn’t prepared for or mitigated, which then leads to unexpected outcomes or even major security holes.

Risks of Shadow I.T.

Altering a process without reviewing it with management and/or I.T. staff can easily expose information to loss or create an unknown vulnerability. It can cause data to be moved into a location that isn’t properly monitored or backed up. You can experience a minor integration problem that you make a workaround for that ends up breaking things in other parts of the business and now impacts more people and time (and money) to be corrected.

Let’s look at how using an off-the-shelf but unvetted software can cause data to be leaked or stolen through security holes in that product that you don’t even know about.

For example, using your personal Dropbox account to transfer files when your business uses something else might seem like a simple, quick fix to the problem you have of needing to move or share files. Or what about using a flash card app if you need to learn important information to do your job? Say you have certification or mastery tests you need to complete to stay employed or get promoted, wouldn’t it make sense to save work files or information to a flash card app on your phone so you can study?

Unfortunately, both of those unapproved options could potentially expose your company’s information to unapproved people or devices.

In fact, there was a recent issue where some Department of Defense (DoD) staff used an online application to study for their work test, thinking there wasn’t an issue. However, the default configuration in this application made all material public. And it exposed sensitive National Security Information to anyone who was looking. This is a 10-minute video about the investigation.

Even installing an unapproved piece of hardware can lead to unexpected outcomes. An obvious example of this is using a personal Wi-Fi router to help you with your work. What’s wrong with a router? Nothing. The problem is not the router but the fact that it is your personal hardware, not managed by the company with standards and protections, which could expose the network through unmanaged flaws or misconfigurations.

There is another risk that’s less apparent. You now have to consider every other piece of non-managed equipment joined to the network through your personal router. For instance, a connected refrigerator or toaster (or other IoT appliance). These devices may have security holes that aren’t mitigated, allowing access to the network. Sound crazy? There have been documented cases of a Wi-Fi toaster exposing access to the network through outdated software that can’t be updated. Read about one example here.

Sidebar: Ask yourself whether you really need these kinds of devices on your network, just for convenience or cool effects like setting temperatures from your phone. Is it worth the risk to have this item added to the environment?

And if installing your personal router sounds too far-fetched, what about plugging in a personal USB flash drive or hard drive for additional storage? Or connecting Bluetooth speakers or headphones that haven’t been approved? Have you run the necessary scans and checked the configurations to make sure you are not introducing any risk to your network?

 

How to Manage Shadow I.T.

Hopefully, you can see now how deviating from standard practices and processes in your business can easily result in some unexpected, and sometimes dire, consequences. So what can you do to manage or mitigate the risks of Shadow I.T.?

  • Make sure you are periodically reviewing how staff use their technology and whether they are following the guidelines or processes you have in place.
    • Send surveys, ask questions, maybe make it part of regularly scheduled reviews to find out what’s working and what’s causing headaches.
  • Encourage employees to speak up when they see unauthorized or suspicious activity.
    • Let your staff know the risks so they can help protect your business.
  • In all cases, there should be a discussion with management and I.T. prior to making changes to processes and equipment so you can reduce the likelihood of these types of events occurring.
    • Communicate openly and regularly so the right hand knows what the left hand is doing, and vice versa. You’ll be stronger together.

 

Shadow I.T. can creep into a process or environment quickly and without warning and can lead to serious impacts to operation. But you don’t have to let it. Reach out to the Infinity team with your questions; we’re happy to help.