Shadow IT May Be the Biggest Cybersecurity Headache You Know Nothing About

If you’re a business executive reading this article and the term “shadow IT” doesn’t send a shudder down your spine, you haven’t been paying attention.

Shadow IT–or stealth IT, client IT, unauthorized IT, or whatever term you care to use–is a big and growing trend. A confluence of factors have created this monster, and its growing impact on cybersecurity vulnerabilities and risk management cannot be overstated.

Let me be as clear as possible about this: Your organization is undoubtedly practicing shadow IT in some form or another, and it is significantly expanding your cybersecurity threat vectors.

Maybe your engineers have an IoT skunkworks project in some off-facility lab. Or your marketing team is launching its own advertising program impact study using open source databases and cloud analytics. Or your factory managers for the European market are sick and tired of delays of badly needed updates to the MRP II system and are building their own workarounds.

Or, maybe it’s your CFO, your board members, or even yourself, using unencrypted personal smartphones and tablets at home to access sensitive customer records.

In these and many other cases, your IT teams probably don’t know about it. Your SecOps teams don’t know they exist, so they aren’t protecting against threats coming in from those shadow IT resources. And if the techs in your organization don’t know these assets exist–or worse, aren’t doing anything to prevent its sprawl throughout the enterprise–you are in trouble.

What kind of cybersecurity troubles can shadow IT cause? Let’s name a few:

  • Irregular or non-existing security patches of personally owned devices.
  • A lack of visibility into which cloud services are being used, how they are being used, and what enterprise data is being exposed.
  • Poor security hygiene in using open, unsecured Wi-Fi networks in airports, coffee shops, public parks…or even at home.
  • Opening up seemingly benign endpoints–digital cameras, fax machines, network printers, kitchen appliances, and pretty much anything with a chip or a Wi-Fi connection point–to cyber-attacks from any spot on the globe.

Make no mistake about it: Shadow IT is a big deal. Gartner predicted that, by 2020, one-third of successful cybersecurity attacks will be made against shadow IT resources. (That’s right, the stuff you, your CISO and your CIO probably have no idea even exists.). And, it’s fair to assume that one-in-three figure is going to skyrocket in the coming years as shadow IT becomes more pervasive and tech-savvy employees become more innovative.

“Not long ago, the notion of a shadow IT organization was preposterous,” according to Alice Cooper, global head of derivative trade processing IT at BNP Paribas CIB. Writing in Navigating the Digital Age, Second Edition, Cooper points out that IT used complicated technologies and intricate processes only truly understood by technical specialists. “But that’s changed dramatically,” she adds. “Today’s workforce…is far more technologically adept and more comfortable writing applets, setting up wireless networks, deploying virtual machines, and putting in place digital sandboxes for short-term projects.”

The result has been startling: One study revealed that 72% of companies don’t know the scope of shadow IT at their organizations, but want to. But good luck with that: Too many business executives are either uninformed or in denial about how extensive their organizations’ use of things like cloud services, build-your-own virtual machines, or bring-your-own-device policies.

This has put enormous pressure on cybersecurity professionals to figure it all out–and they are operating at an extreme disadvantage by their lack of visibility into the problem. It’s like they’re playing tag not only blindfolded, but with both hands tied behind their backs: They know something is out there, but they can’t get their hands on it.

“Right now, shadow IT may be endangering your intellectual property and sensitive customer or employee data,” according to Mike Thoma, chief underwriting officer for Travelers Insurance global technology. “Before you can take concrete steps to protect your technology business, you must firsts understand the nature and scope of this risk.”

Now, considering that many business leaders actually encourage this kind of take-charge approach to problem-solving, many organizations find themselves in a quandary: Should we crack down hard on shadow IT with rules, fiats, and mandates about what to do, or continue to turn our stick our head in the sand and not acknowledge the cyber risk involved?

Of course, there is always a Plan C:

  • Find out the extent of the practice.
  • Determine its potential for cyber risk exposure.
  • Create some best practices that continue to allow agility and IT self-service, but that don’t create cybersecurity blind spots.
  • Use a mix of training, audits, and, potentially, sanctions to ensure a workable balance that doesn’t inhibit innovative problem-solving or open up a Pandora’s box of risk and damages.

“…Business leaders and boards must (a) acknowledge that the problem exists and that it has a potentially devastating impact, and (b) lead the way in encouraging smart answers to the problem,” said Cooper. “Denial is not a solution.”

She also points out, however, that despite organization challenges posed by shadow IT, the practice should not be outlawed with sweeping, ill-thought-out policies. “I know most organizations can highlight instances where enterprising employees working outside the sphere of the IT organization have done some things that resulted in a competitive advantage,” she said. “That doesn’t mean you allow or look the other way on reckless behavior. But you don’t know for sure if it’s reckless unless you understand what is happening and what the risk-to-reward ratio looks like.”

At the end of the day, it’s important for organizations to understand that shadow IT isn’t just a problem unto itself: It’s symptomatic of a bigger problem–management’s inability or unwillingness to provide the right kinds and amounts of resources necessary to help business units drive forward in aggressively implementing the organization’s lofty goals for digital transformation. After all, as the saying goes, when you want to make omelets, you may have to break a few eggs.

Just make sure you’re not breaking the company’s back with risky cybersecurity practices simply because employees don’t understand the consequences of shadow IT.


Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.