Tom Doyle

Anticipation, Identification, and Managing Shadow IT

Introduction

Shadow IT is not new. Organisations have been battling its use since IT entered the workplace in the early 90s. From users bringing in their own computer terminals to buying rouge software for their departments this has been a practice as old as computers themselves. The organisations that battle the most in the modern age, are often organisations that are transitioning from startup phase through growth phase. But this phenomenon can be seen in any organisation, large and small. As more emphasis is put on securing the business there is often a large cultural shift that needs to happen as well as a technological one. Therefore anticipating this with user education from the start is vital.

Anticipating Shadow IT

In any modern environment where individuals crave productivity to stand out from their peers anticipating shadow IT is a must. It is often 10 times greater than what CIOs expect is in their organisation.[1] With more and more of generation Z coming into the workforce, the use of shadow IT will greatly increase. Social media such as TikTok is full of short videos sharing productivity hacks, and the latest SaaS software or apps, promoting hustle culture and driving many of these top performers to take it upon themselves to eliminate what they perceive to be waste. Something security teams have long viewed as a risk.[2] This article tries to take a nuanced view and differentiate risks with different categories of shadow IT, highlighting how the business might be able to strike a balance between risk and productivity.

Research shows that shadow IT is often introduced by the high performers in business.[3] Often these are the individuals that customise their workflows to suit their personal ways of working, finding tools to automate how they work. Stifling that drive might often cause friction to employees with the highest output. Strategis need to be created to keep our best working their hardest in a way that suits them while also managing risk.[4]

Shadow IT has long been a distributed problem, in need of a distributed solution. The most obvious of which is education. These top performers are not out breaking rules to rebel like an angsty teen, they are here to work. It is up to security teams to educate on how to work safely and to identify what shadows are the darkest.

The move to SaaS means the cost to acquire is lower, or these tools might be provided up front as free. SaaS tools do not need to be installed on the endpoint, lowering the burden of software management[3] but circumnavigating the restrictions on installing software. The user however can often be lured to upload sensitive data to these tools for analysis. For example a user uploading sensitive documents to an online editing software to redact sensitive information.[5] Or a user can be lured with the bait of a service but unknowingly be infected by a tool or info stealer.

As individuals look for ways to automate their work they will often look to SaaS apps that are much harder to control and audit than their previous applications than traditional apps you need to install. Just like MDM brought about the ease of which to monitor applications on endpoints, next generation IAM, though tools like Google Workspace, Okta or Entra ID, should add to the reporting of SaaS applications inside an organisation.

Tight budgets will send users looking for free tools, often themselves propped up by running ads (malicious or not)[source for ads] or by selling user data.

With trialling these SaaS apps, many hand over a great deal of information and access to identity providers and rarely will revoke this access. Few pay attention to what the applications are requesting access to, eager to try out the new application.

Many IAM solutions have tools to stop access to unapproved third party apps, however what is to stop a user signing in with username and email rather than their work IAM credentials.

The inverse is possibly more favourable. If allowing a user to sign up with IAM providers, you are ensuring the third party does not store users passwords, preventing a password reuse and leak of such password. To also get auditing and reporting of what apps are in use in the organisation. The user has 2 step authentication, and you have a way of monitoring what SaaS apps your colleges are using. Many GRC automation tools ingest these via audit reports and classify them as vendors for you when creating due diligence reports or monitoring access to such tools.

Over the past few years the focus of shadow IT has shifted dramatically from the main concern being users installing apps, where endpoint protection and strong permissions have existed for years to combat this, however now the model has shifted to user often unknowingly exfoliating data themselves to third party SaaS systems

AI in the Workforce

With the advent of AI in the workplace many feel that if they are not looking for, and trying new AI tools they are falling behind. There has been a rise in the marketing around AI and its capabilities leading to a lot of fear, uncertainty and doubt (FUD) for jobs. This has driven many employees, who may not have used AI to use it out of fear for their employment. A survey conducted by The Conference Board in September of 2023 shows that 56% of workers in the US were using generative AI at work. ISACA’s survey indicates only 10% of organisations have a generative AI policy in place.[6]

Due to the rapid nature of the adoption of AI systems, education around these tools has lagged behind. We have seen developers upload source code or API documentation to systems, or HR teams uploading internal policies to create handy user guides.[7] This leaves businesses open to intellectual property being leaked or data breaches due to a lack of user awareness. Among high performers AI if often viewed as a productivity multiplier.[8]

As a Cyber Security or GRC practitioner, this risk is very difficult to portray to a business or department when these perpetrators are also the top performers. Teams are often operating in an agile fashion, organising themselves with IT that suits their needs without thinking about what risk it causes the business. The business can often see this as micro management from security teams and a hindrance to their workflows. At best they can be annoyed at the department slowing their progress. At worst they can hide their activity, making identifying and reducing shadow IT more difficult.

Strategies to Manage

Discover and Classify

The first step in any audit is always to discover what you have. Seek reporting from your IAM tooling, where users are logging into and how many users there are accessing the same tools. After discovering what tools are in use in your organisation, the next step is to look at what data these tools are using. Are they calendar management apps or are they handling PII.

Risk Asses and Comply

Once you know where your data is going and what the data contains you can map this data to your company's risk appetite. This will largely depend on what business you are in, what your regulations are and what data you have found to be leaving your organisation.

Educate

Security and audit teams should never act in a silo. Information has been produced by this exercise. Find a way to relay this back to your organisation though education and training programs about what tools

Conclusion

The best method to ensure the security of the business is to anticipate that shadow IT rears its head in every business and audit teams should have the strategies in place to detect and manage it when it does. The main remediation for this is education of users, what data is personal identifiable information and should be protected and what is acceptable risk to the business and work.

References

  1. ‘CIOs vastly underestimate extent of shadow IT’, CIO. Accessed: May 25, 2024. [Online]. Available: https://www.cio.com/article/244776/cios-vastly-underestimate-extent-of-shadow-it.html
  2. B. Lashbrooke, ‘Why Are These TikTok Productivity Hacks So Popular? They Actually Work’, Forbes. Accessed: Jun. 17, 2024. [Online]. Available: https://www.forbes.com/sites/barnabylashbrooke/2022/06/14/why-are-these-tiktok-productivity-hacks-so-popular-they-actually-work/
  3. S. Haag, A. Eckhardt, and C. Bozoyan, ‘Are Shadow System Users the Better IS Users? – Insights of a Lab Experiment’.
  4. ‘Your Employees Will Leave, And It’s a Missed Opportunity’, Gartner. Accessed: Jun. 18, 2024. [Online]. Available: https://www.gartner.com/en/supply-chain/insights/beyond-supply-chain-blog/your-employees-will-leave-and-its-a-missed-opportunity
  5. M. Juen, ‘The Hidden Risks of Online PDF Editors — And the Solution You’ve Been Waiting For’, Medium. Accessed: Jun. 18, 2024. [Online]. Available: https://medium.com/@mjuen/the-hidden-risks-of-online-pdf-editors-and-the-solution-youve-been-waiting-for-1b6a93bd36d5
  6. A. Malaj and E. Muka, ‘AI Lights and Shadows: Revolutionizing the World’, FORUM AP Interdiscip. J. Archit. Built Environ., no. 27, pp. 84–91, Oct. 2023, doi: 10.37199/f40002712.
  7. S. Ray, ‘Samsung Bans ChatGPT Among Employees After Sensitive Code Leak’, Forbes. Accessed: Jun. 18, 2024. [Online]. Available: https://www.forbes.com/sites/siladityaray/2023/05/02/samsung-bans-chatgpt-and-other-chatbots-for-employees-after-sensitive-code-leak/
  8. ‘Generative AI is empowering the digital workforce’, MIT Technology Review. Accessed: May 25, 2024. [Online]. Available: https://www.technologyreview.com/2023/07/25/1076532/generative-ai-is-empowering-the-digital-workforce/

© Tom Doyle

LinkedIn Instagram Twitter Github