Subscribe

Lighting up the shadows

By Tamsin Oxford
Johannesburg, 26 Oct 2018
Brian Timperley, Turrito Networks and Dial a Nerd.
Brian Timperley, Turrito Networks and Dial a Nerd.

Shadow IT. It has long been the dark and threatening risk to organisational security, lurking on unknown mobile devices and infiltrating unknown parts of the network. For IT, the lack of visibility into what the technology is and the security risks it introduces, is the cause of cold sweats and late nights. For the employee, it is a way of bypassing the lumbering complexities of IT processes to get things done when they need, how they need and in a way that matches their new mobile working lifestyle.

For many years, CIOs and IT managers have used every policy and process they could find to ferret out shadow technology. It was an open back door to hacks, ransomware, malware and more. Today, however, the perceptions of shadow IT are slowly changing as CIOs are realising that the technology snuck in by the employee can potentially hold the key to internal agility, new ideas and innovative thought processes.

It seems perhaps that reluctantly embracing shadow IT is the way forward. Like the garlic-enshrouded uncle at parties, it keeps cropping up in the enterprise, regardless of the stringent controls many have in place. The challenge lies in pulling it from the shadows and into IT visibility to ensure it meets the require protocols for security and compliance. Gartner found that 30% to 40% of IT spending has gone to shadow IT. The Everest Group's research echoes this - its report found this to be more around 50%. The evolution of cloud-based services, easy access applications and servers that spin up on a credit card has made this landscape even more complex.

While there may be benefits to the solutions introduced by shadow IT, the problem is genuinely in its vulnerability. Gartner has also predicted that by 2020, almost one third of successful attacks will be made through shadow IT. The issue is that these tools aren't tested for the enterprise environment. They aren't put through the stringent controls that are required to ensure they meet compliance standards. Yes, the same controls that led frustrated employees to just go and do it themselves. This is as much driven by the need to bypass the rules as it is by the changing needs of a mobile workforce.

Visibility into shadow IT is the biggest challenge that organisations face. Without visibility, businesses cannot perform the delicate balancing act required to provide good IT solutions.

Tallen Harmsen, IndigoCube

Today, employees are empowered to work from anywhere and many of the solutions developed to further this ethos are not on the IT-approved agenda. In fact, with the money and talent poured into the UX of the average app, the reality is that many are far better suited to the needs of the employee than those provided in the office.

Shadow IT is driven by need. It has the ability to support internal innovation and agility, but it equally leaves the doors open for shadowy forces that can cost the business its reputation and, with regulation like GDPR and POPIA, its future. What comes next is finding a way of harnessing the shadow of the workforce to the benefit of the business without compromising on the integrity of the organisation. The real question is...how?

The ins and outs of shadow IT

Brainstorm: What ignites, introduces and spurs the growth of shadow IT?

Brian Timperley, joint MD of Turrito Networks and Dial a Nerd: "People become comfortable with applications, hardware and support that they use regularly, such as WhatsApp, external hard-drives and family members who fix their IT issues. Moreover, accessibility is something that spurs shadow IT because free, easy-to-use apps are more accessible, especially when your peers use them."

Simeon Tassev, MD, and qualified security assessor at Galix: "Shadow IT typically arises when users discover simpler or more efficient applications to help them do their work, often when they've not been properly trained in using the IT applications and systems provided. Poor IT controls engender an environment where users are able to use their own applications and programs."

Marius van Niekerk, IS manager for Itec South Africa: "For most businesses, large or small, IT forms part of the foundation on which they build. It touches most, if not all, of the parts of the business and is central to communication, information management and financial control. It is this dependence on technology that creates the risk inherent in IT. Complete loss of the IT services used by a business and/or the data owned by the business will likely mean the closure of the business. Ironically, the biggest risk to IT is IT."

Dragan Petkovic, security product leader, ECEMEA at Oracle: "The growth of shadow IT can be attributed to end-user dissatisfaction with the level of service received by the corporate IT department and is primarily a socio-economic phenomenon."

Brainstorm: Why should the business embrace shadow IT?

Brian Timperley, joint MD of Turrito Networks and Dial a Nerd: "Any organisation that tries to entirely remove shadow IT from its business is ignorant. If your business thinks that every system and application it has implemented is the best, that is definitely not the case. If you don't give people the freedom to explore, you are reducing innovation."

Simeon Tassev, MD and qualified security assessor at Galix: "Businesses that are against shadow IT need to have a wholly contained and controlled IT environment. It makes sense for the organisation to embrace the idea of shadow IT as it can benefit the business. Users are often in the best position to identify systems that can empower them to do their jobs better, faster or at a lower cost."

Dragan Petkovic, security product leader, ECEMEA at Oracle: "What is needed is a more secure, controlled way of managing shadow IT that gives end-users the experience and innovation they want. It's bring-your-own-initiatives instead of shadow IT. This, if done properly, can be more agile and make end-users more productive."

Matthew Kibby, vice president, Sage Enterprise Africa & Middle East: "The answer to whether to embrace or extinguish shadow IT will vary according to the company's industry, culture, size, and legacy infrastructure, among other factors. However, the very existence of shadow IT highlights how important it is for IT departments today to respond nimbly to the demands of end-users."

Brainstorm: What are the reasons why the business should be more careful with shadow IT?

Simeon Tassev, MD and qualified security assessor at Galix: "It becomes a problem as it introduces risks outside of IT's management and control. When IT is unaware of applications being used for business purposes, it cannot secure, manage or integrate them with current business systems. Beyond threats, IT is also unable to support any application or program that it does not have access to."

Marius van Niekerk, IS manager for Itec South Africa: "To simply state that a business is either for or against shadow IT is an oversimplification of what is a complex problem. It does not allow for the evaluation of each scenario to identify a possible opportunity, but tries to throw a blanket over the concept by classifying it as either bad or good. A more considered approach is required."

Tallen Harmsen, head of cyber security at IndigoCube: "Visibility into shadow IT is the biggest challenge that organisations face. Without visibility, businesses cannot perform the delicate balancing act required to provide good IT solutions. Good IT solutions are based on security, availability, and usability. The biggest challenge to achieving that and maintaining clear visibility is bureaucracy or red tape so common to legacy IT environments."

David Emm, principal security researcher at Kaspersky Lab: "We no longer defend our businesses behind castle walls and we empower staff to work wherever they are with any device. This means we have to be very aware of the technology we use and how we use it. Compliance with regulations like GDPR and HIPPA is essential and we need to ensure that the devices are secure, under the control of IT and not introducing vulnerabilities into the network.

This article was first published in the October 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.

Share