Shadow IT – Get Out of the Dark

Shadow IT–the stuff that goes on without IT’s involvement–brings many risks to an organization. If users have excessive privileges, they will download unauthorized software. This software goes unpatched by IT, it might be misconfigured, security features not turned on, etc. It could be something like a messaging app. It seems innocent to the end user (I just want to talk to my buddies about the playoffs), but in reality, this simple messaging app allows data to leave the corporate network without detection. “I just want to talk to my buddies about the playoffs” just turned into a data leak. Or the app they downloaded stores company data in a cloud, but the company doesn’t have a confidentiality agreement with that cloud provider. Do you see a pattern here? Excessive privileges will allow unauthorized software, which is just the beginning of the problem.

Or how about the dedicated worker who wanted to work at home tonight, started an email, attached a database to the email, and saved it as a draft email? They log in to their web-based corporate email from home, download the database, get their work done, re-upload the database to the draft email, and replace it at work the following day. No harm no foul. Right? All of this was within corporate policy because the user was able to do it. Right? Wrong. The employee, although well-meaning, has just loaded the database onto their personal computer, via their personal network, and allowed that data to leave the security of the corporate network. This is a policy violation.

Why do people go around IT? Sometimes, they don’t even know they’re doing it. Other times, IT is just too inconvenient. They take too long. They have too many rules. Why go through the process when I can spin up a cloud instance, pay the monthly fee and expense it? It’s just faster.  Other times, users have issues with what IT implements and they go looking for other, better alternatives that fit their work use. No matter the reason, activities like this are considered shadow IT.

How do you prevent shadow IT and the negative experience of cleaning it up?

1) Talk to your users. Ask them how the tools they use are working for them. Listen to their feedback and respond accordingly.

2) Educate your users on why IT is there and why they want to work WITH the users, not AGAINST the users.

3) If your users prefer a certain type of endpoint, give it to them. And secure it. This will decrease their desire to use their personal machine and find ways to circumvent corporate IT.

4) Watch the network for anomalous activities. I realize that’s a given. Hopefully, your monitoring activities include a baseline so you can detect large downloads that are unusual by a user, large file transfers, excessive session times, a new softphone, a new wireless access point, etc.

5) Remove local admin rights from the users so they cannot install software packages, change configuration settings, or disable security controls. This doesn’t help you with browser extensions or cloud-based apps, but it’s a start.

6) Block USB ports to ensure removable media is not used to install software.

7) Provide equipment that can be monitored remotely. Scan for all apps installed. Talk to the user when an unauthorized app is found. Don’t just remove it (unless it’s a high risk); instead, talk with the user first, find a secure alternative, and then remove it.

8) Create a new image every day when the user logs in. Any software installed the previous day is automatically removed.

9) Implement data leakage protection and attempt to block data going into unauthorized cloud instances.

10)  Prevent web-based personal email accounts on the corporate network. A bit more challenging if your organization is already using cloud-based email. A corporate email account is difficult to distinguish from a personal email account if you don’t have a proper naming convention.

11)  Ensure accounting has a method for approving payments. All vendors must be risk-rated by your third-party oversight team before any payment can be made.

12)  Ensure all monthly recurring payments are flagged by accounting. Things like cell phones, internet charges, toll charges, etc. are obviously OK, but what about a monthly charge to a cloud provider? Accounting should be following up on this type of charge before reimbursing.

“If it’s easy, it’s not secure.” I have said that for over 25 years and I have yet to prove it wrong. Security takes time. Users don’t want to wait. Ensure your communication is open and frequent with your users to help prevent shadow IT. And have controls in place if the communication breaks down.