Rogue, stealth, shadow: The antiheroes of IT

Yash Pillay, Trend Micro.
Yash Pillay, Trend Micro.

In a dark, gloomy and quiet corner of the office, behind cupped hands, the hushed words are spoken for fear that anyone else should hear: "Shhh, don't say it out loud, but we've got a case of shadow IT."

The relentless drip of technology that's not been approved by IT seeping into the organisation is unlikely to slow down. It all started when Michael in accounting realised that he could do things a lot easier with a publically available app he'd found in the Play Store, rather than using the cumbersome beast approved by IT. Now, from the high-level executive down to Susan in legal, everyone has a mobile device loaded with applications that make their lives easier. Unfortunately, many of these pose a significant security risk to the business.

It's not just limited to free apps either. Between both Gartner and Everest Group, their research found that anything from 30% to 50% of enterprise spend is linked to shadow IT. And both think this is likely not even close to the truth. The reality is that shadow tech is simple, accessible, cost-effective and quick. It doesn't labour under the complex security and red-tape restrictions that often hamper approved applications. And, let's face it, many of the apps and solutions provided by organisations are difficult to use, bloated and chosen by management, not by the users.

In addition to user preferences, shadow tech is increasingly pervasive thanks to the rise of the 'as-a-Service' phenomenon. The ability to simply tack a service onto the business using the corporate credit card makes it more a useful tool than an evil bringer of security doom.

In 2016, Gartner predicted that 2020 would be the year that would see one third of successful attacks come about as a result of shadow IT. In 2017, the research giant suggested that perhaps it was time to make friends with the shadow. By 2019, Gartner's song sings to the tune of chaos, advising organisations to find solutions that manage the shadow onslaught both practically and strategically. It's so pervasive and complex that there's a sense of resignation in the shadow conversation - you can't beat it, so it's time to adapt to it.

It's about finding and adopting strategies that understand why shadow IT is a worthy addition to the enterprise stable. It's about looking to methods that ignite transparency and user co-operation - the CIO and IT department must know how deeply entrenched shadow IT is, otherwise there's no way to manage it, prepare for the worst, or benefit from it. Shadow IT doesn't have the luxury of following the old adage of 'better to beg for forgiveness after than ask for permission before' because the results of a breach may very well be unforgiveable.

IT is sitting at the opposite end of a smoking, loaded gun, grimacing as people bypass security system and regulation in search of a quick app fix and an easier way to do business.

What many people forget is exactly how serious security has to be, how vigilant, especially in the current climate. Organisations have had to shut their doors thanks to a loss of reputation and data - Cambridge Analytica, Google+, and Bosasa are just some names that trip off the reputational, security breach, data hack tongue. In the US, a recent ruling has made this landscape even trickier to negotiate as people can sue companies for damages even without proof of injury if their data has been improperly gathered. It's a trend gathering global momentum. Add this to the risk of data exposure through shadow IT, the discovery that data may not have been applied or gathered in accordance with PoPI or GDPR, and suddenly the downward slide gathers a momentum that's hard to halt.

IT is sitting at the opposite end of a smoking, loaded gun, grimacing as people bypass security system and regulation in search of a quick app fix and an easier way to do business. It has become absolutely essential that the organisation find a way to walk the shadow IT tightrope without compromising on security or efficiency. However, it's far easier said than done.

The ins and outs of shadow IT

Emerging from the shadows with intelligent insights.

Brainstorm: How can shadow IT ever emerge from the shadows and become a standard part of business operations?

Simeon Tassev, qualified security assessor and MD at Galix: "If shadow IT is implemented in collaboration with the IT department, then it can become a real asset. Users should be able to comfortably approach the business and identify or recommend applications or systems they feel would work better - this increases productivity and boosts innovation. IT should enable the business and constantly align with what the business needs. Controls need to be in place and users and the IT department have to start communicating and collaborating with one another in order to integrate the best possible technologies with the lowest possible risk."

Kieran Frost, research manager for software at IDC Sub-Saharan Africa: "It's important that shadow IT does emerge. It's the result of users either finding that their current tools don't meet their requirements or that an existing process is inefficient. This means that shadow IT's very existence is identifying issues in the organisation. By creating a culture and supporting processes for the conversion of shadow IT into mainstream IT, this potential issue becomes a source of opportunity. This can be accomplished by ensuring that IT remains responsive and agile to user's needs. Banning or locking down the network will only lead to more subversive and evasive user behaviour."

Brainstorm: Why aren't the factors driving the adoption of shadow IT driving IT investment?

Yash Pillay, senior sales engineer, Trend Micro: "IT departments struggle to stop shadow IT as people use technology to access open source software and cloud computing to solve business problems, whether IT approves or not. A better approach would be to welcome this way of thinking and provide the tools and training that help users make informed choices. There needs to be a healthier relationship between users and IT so that there's improved security and management of the technologies."

Graham Croock, director, BDO IT Advisory Services: "Employees feel like they need to work around their company's security policies just to get their job done. An employee could, for example, discover a better file-sharing application than the official one and then, when they start using it, share it with other members of their department. The rapid growth of consumer-based cloud applications has driven this as well. Formal IT, on the other hand, is costly, complicated to implement, and subject to rules and policies and processes so it's slower and more difficult to use."

Brainstorm: What's the biggest challenge of shadow IT and how can the enterprise overcome it?

Brendan McAravey, regional director, Sub-Saharan Africa at Citrix: "Shadow IT can allow ransomware and malware to invade an organisation's network, cause data leaks and even introduce compliance risks. The top risks we've identified are: stealing employee and customer identities, stealing company secrets, causing companies to fail compliance audits or laws. To resolve this, the company must understand the risks, boost its cyber security footprint, find replacements for shadow IT solutions, and embed a preventative strategy."

Henning Lange, CIO at Elingo: "The biggest concern is security. Without controls as to which services are used and who uses them, and what limits are placed on customer data, shadow IT can be a security disaster waiting to happen. The first step to manage anything is visibility. Get out the shovel and dig - identify what tools or mobile apps employees are using and educate them on the risks of using non-authorised apps and services. They need to understand the consequences of non-compliance and which services aren't authorised, and why."

Turning on the light

Mitigating the potentially negative impact of shadow IT requires that the business first pay attention.

Growthpoint Properties Limited is one of the largest property investment holding companies listed on the Johannesburg Stock Exchange. The company owns and manages a wide local and global footprint with a diverse portfolio of over 550 property assets. It also follows clearly defined corporate governance processes and procedures to ensure that it remains compliant and in control. Over the past few months, the company has turned its attention to shadow IT.

The revelation that exposed shadow IT's influence in the company took place in early January 2019 on the company's IT forum. These IT user forums allow for individuals across the company to engage with IT and decision-makers and share information, ideas and concerns; a chance question by a user shone a light on the murky application shadows...

"The IT user forums not only allow for people to present ideas, but they're also an opportunity for people to submit user requests," says Alec Davis, CIO of Growthpoint. "At one of these events, a user asked a question around how to solve a specific process problem and someone else popped up saying, 'Oh, we already have X solution - we downloaded it from the app store'. There's no thought to enterprise scalability or what happens to the information if someone leaves or to the security of the app at all. They just downloaded it and started using it."

Davis acknowledges the reasoning behind the influx of shadow IT - it isn't a threat in itself as users are trying to improve their own workflows and processes using what they perceive to be an easier way. Some users perceive IT as difficult to deal with and inflexible in managing their requests, so they go down the shadow IT route instead. However, the applications they download don't comply with governance standards and are used with little thought to the security issues they introduce.

"The shadow IT elements we've identified aren't detrimental as yet, but we have a very structured governance strategy that must be adhered to," he says. "People don't give a thought to what happens around these applications over the long and short term. What happens if someone leaves - how will employees get access to that information and data? What about the suitability of these apps in the enterprise context? Many of these tools are great for individuals, but not for the business."

The revelation that shadow IT had gained a foothold in the business happened in early January and by the end of the month, the company was already moving forward with ideas to combat it. Growthpoint's IT team has kicked off a shadow IT game plan that's starting with using Microsoft Cloud App Security, a Cloud Access Security Broker (CASB) solution that provides visibility into cloud apps and services. The technology is designed to discover and manage shadow IT in the organisation while simultaneously protecting sensitive information and detecting threats.

"We saw the solution in action at the recent Microsoft Ignite event and realised that it had the potential to support us in addressing our shadow IT concerns," says Davis. "We contacted Microsoft to get further information into the solution and discovered that we already have the tool through another Microsoft licence. Now we just need to adapt the functionality and configuration of the existing licence to ensure effective rollout and we're working with Microsoft to do so effectively."

Davis envisions that the CASB tool will be rolled out across the company by the end of the third quarter, allowing for the department to gain significant insight into the apps used in the workplace and the extent of shadow IT.

"We don't believe that the problem is extensive and we've used our governance forums to share the messaging that shadow IT needs to be addressed and stopped. Representatives from across lines of business attend the governance forums and they will report back to their divisions from there.

"We're structured to address issues swiftly and are already well into our plans to assess and amend any shadow IT challenges that lie ahead."

See also