Skip to content
Naked Security Naked Security

How much of the IT your workers use is hiding in the shadows?

Is your IT infrastructure so restrictive it's forcing your staff to use unauthorised 'shadow' infrastructure? If so, it's time to have another look at your policies

Organisations can have all the security they want in place – but employees have a knack of circumventing it, sometimes without knowing they’re doing anything wrong. It’s a process called “shadow IT”, in which someone uses their own preferred technology rather than the technology chosen and sanctioned by the IT department.

This is the result of a number of things. The current generation of workers has an unprecedented knowledge and resources when it comes to technology, so if your file transfer system feels slow then “I’ll just DropBox this to you when I get home” or “let’s share this through Google Drive” is easy to do.

Nobody is saying there is anything wrong with either of the services named above. The issue is that if your corporate governance says you use your preferred, tested technologies and your colleagues instead do something else entirely, you’re losing control and you can’t be sure they’re not using something insecure.

The issue is explored in a recent blog post by IT Security Guru. It warns of security breaches, unauthorised access and organisations whose employees do what they feel like with technology. It advocates informing employees of their employer’s policies and the consequences of flouting them. Our contacts, however, offered a more nuanced picture of what’s going on.

In the US, Seth Robinson, senior director, technology analysis, CompTIA, says that most businesses are shifting to operational models that at least keep the IT team in the loop, and added that there can often be autonomy within different parts of the business.

There is certainly a greater degree of independence to be found among business units. In our study, 37% of companies with increased tech budget for business units said that the funds are used to procure technology directly, and 9% percent said that the funds are used to contract with a third party.

However, these are not the primary activities. Fifty-four percent of such companies say that the budget is used to initiate projects with internal IT. Shifting funds to the lines of business makes them more aware of technology tradeoffs rather than simply handing off requirements.

Meanwhile in the UK, Frank Stajano of the Cambridge Academic Centre of Excellence in Cyber Security Research, suggests there is a managerial issue.

Shadow IT can be a significant problem, insofar as it may cause inefficiencies, inconsistency and non-compliance for the parent organisation, but to me it is a symptom of a more serious problem, namely that the parent organisation’s IT department is imposing top-down policies and infrastructure that get in the way and are not adequately serving the needs of the staff.

My research focuses on making security usable: I have repeatedly witnessed situations where staff undermine the security of the organisation (for example with unencrypted USB sticks, shared passwords or document sharing via gmail or DropBox) because the solutions imposed by the IT department are too cumbersome.

Security measures that are not usable don’t get used: employees will use all their ingenuity to bypass them in order to get their job done. I must admit that, while I do not advocate the practice, I feel some sympathy for them. The poor usability of the officially provided systems is often the actual root of the problem. It would be fruitless to attempt to ban shadow IT without addressing this underlying cause.

This chimes with a report from the Economist a few years ago, which referred not to “shadow IT” but to technological “autonomy”. This sounds positive rather than damaging. Robinson adds that a lot of companies Stateside are acknowledging this and are in effect bringing the shadowy stuff in-house and authorising it.

Rarely is the IT team left in the dark [about what the staff are using]. As with the decision process, these activities often involve the IT team. In 60% of cases, the IT team gives approval; in 24% of cases, the IT team is consulted, and in 10% percent, they are at least informed of the decision.

Robinson concludes that “shadow IT has matured into a more systematic framework that lets the business self-service technology needs in a safe sandbox”. Which is certainly an improvement on unregulated “shadow IT”.


5 Comments

Hmm, I think some of the point has been missed. IT maybe imposing practices and tools which are not as smooth as the users personal preference of tool but which are legally compliant for the business. At home you are free to put your data anywhere you like becasue you can consent to that. At work you very much cannot choose to put other people data where you like, that is not your choice to make and not your permission to give. Businesses who are allowing a certain free-for-all to keep ‘tech savvy’ workers happy and efficient will need to take a long hard look at those practices for when GDPR comes into force or they will have a very hard time indeed bringing back in the good old top down approach.

I would put use of spreadsheets right at the top of the shadow IT issue. Before I retired I used to work in a subsidiary of a major UK bank. Inland Revenue, as it then was, highlighted an issue with tax spreadsheets, with a survey showing that over half had significant errors. We then instituted our own survey, which noted that we had a huge number of business significant spreadsheets that management, and IT, was unaware of. Mostly these had built up over many years, with no one being in charge of the design and testing, and many were never changed because nobody knew how they worked. Very few had been rigorously tested, and a significant minority were giving wrong answers.

It seems rather bizarre that IT can spend a large amount of money designing, building and testing (testing should be a large part of the expenditure) a business system. Then when it goes live a user takes the authenticated output, bungs it into a spreadsheet someone has knocked up in their spare time, and bases the future of the company on the output of an undocumented, untested, user created spreadsheet…

…disaster beckons

Not a bad point by itself, but I think that is not an example of shadow IT. More like information handling. One is about bypassing established infrastructure and data controls (such as file sharing outside the company), the other about how users do their calculations or share their data internally.
IT does not dictate spreadsheet sanity to the business units anywhere I have ever been (in 20+ years).

One factor not addressed is the issue of Bring Your Own Device/Computer/PC. This trend, even among large corporations, empowers the employee/contractor to provide his own computer, hence picking his own anti-virus, firewall (if any), software, cloud storage, backup strategy, and more. I expect a number of large companies have not considered the security ramifications of this strategy.

First thing that comes to my mind is Access Databases. This program should have been blacklisted from existence years ago.
15 years ago we caught on to people using a hotkey program that was never reviewed by IT (also didn’t “install” just put on your desktop.) Department managers insisted on keeping it, so we made the depts. pay for it – oops they pirated it. – they had to pay back fees to avoid getting sued when purchasing. Then we replaced the program they used the hot keys for the next year. lol

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?