Shadow IT and Cyber Security

The Prime Minister’s advisor Dominic Cummings has demonstrated an astute use of IT and social media to help win the government’s political arguments. So, when he speaks on matters of IT security at the heart of the new government, it’s probably wise for us all to take note.

Following the election success, he warned all government ministers and civil servants against the practice of using private email accounts to discuss official government business.

The motive behind this warning was his fear that less secure private accounts are more likely to be hacked by foreign powers, with many observers opining that the pre-election leak of papers covering trade talks between the UK and the US had triggered this caution.

Danger in the shadows

While the hacking of government accounts and the clandestine publishing of previously secret discussions may appear a particularly specialised area of cyber-crime, the basic principle highlighted by Cummings was one which is increasingly impacting on organisations of every size – shadow IT.

The phenomenon of shadow IT is the growing tendency of employees within an organisation to use their own devices, apps and platforms when dealing with work-related matters, whether it’s trade talks or details of a house sale.

The key point is not that employees are using their own IT resources, as many organisations embrace the flexibility of a Bring Your Own Device (BYOD) approach, but that in most cases it is all being done without the knowledge of their IT department or executive leadership.

Given that the key to any effective cyber security policy is the integration of all parts of an organisation within a cohesive and unified approach, this clearly throws up the genuine risk of security blind spots, loopholes and open back doors.

Numbers reveal the scale of the problem

A wealth of statistics underline the pervasive nature of shadow IT, with research by the Everest Group, a global management consulting and research firm, showing more than 50% of the technology spend in the average organisation goes on shadow IT.

A study of Fortune 1000 companies carried out by IBM found that one in three employees regularly made use of cloud-based software-as-a-service (SaaS) apps which hadn’t been approved by their own IT departments.

According to a report compiled by Infoblox, a company specialising in IT security, more than a third of US, UK, and German companies experience 1,000 shadow IoT devices connecting to enterprise networks every single day. For 12% of UK companies, this figure rises to a fairly astonishing 10,000 devices.

The potential impact of this could be huge. It’s vital to understand that the issue with shadow IT is not so much the use of devices itself since this is clearly a genie that isn’t going back into the bottle, but the understanding of the risks which the average IT department is bringing to the table.

Perhaps the most shocking statistic in the Infoblox report is that while 82% of organisations have introduced security policies designed to police the use of shadow IT, only 24% of employees are aware of these measures, whilst 88% of senior IT managers believe their policies are effective.

This is clearly a fairly toxic mix. A network made up of multiple separate components with varying levels of security protection, IT policies that aren’t being disseminated effectively across a workforce and IT leadership struggling to grasp the real-life reality, make for a serious problem waiting to happen.

Out of sight out of mind

To paraphrase Hanlon’s razor, we should not attribute to malice that which is adequately explained by ignorance. Employees are rarely willfully negligent or setting out to damage the integrity of the wider organisation, they just don’t recognise the dangers.

Rather it’s that working practices that aim to increase efficiency, promote independent thinking and instill an atmosphere of innovation, also depend upon tools which are, by their very nature, more difficult to police in terms of cybersecurity.

The ‘Cyber Attack Trends: 2019 Mid-Year Report’ published by Check Point found that cyber-attacks targeting smartphones and similar mobile devices had risen by 50% during the first half of 2019 when compared with 2018.

KnowBe4’s ‘2019 Security Threats and Trends’ global survey, which consulted with 600 organisations, found the biggest threat to security arose from the negligent behaviour of their own employees, engaging with threats like ransomware, malware and phishing emails.

It seems no matter how advanced security measures become, cybercriminals are agile and able to find new weak spots to exploit. This is particularly true if a culture of security has not been embedded in every level of an organisation or across all its employees.

Working to update protections such as firewalls, encryption, and vulnerability scanning tools can only ever be partially effective unless the people utilising shadow IT have been taught to recognise and avoid likely risks.

In short, when it comes to the effective and safe use of shadow IT, the people using the tools are every bit as important, as the nature of those tools themselves.

Like what you read?