Shadow IT

Rie Vainstein • July 22, 2024

Shadow IT

The term “Shadow IT” evokes a sense of suspicion and the imagery of people lurking in dark corners. In reality, it is far more common than most people realize.



What is Shadow IT?


According to IBM “Shadow IT is any software, hardware or information technology (IT) resource used on an enterprise network without the IT department’s approval, knowledge or oversight.” So, in short, Shadow IT is simply the term used for non-IT-department-sanctioned hardware, software, and cloud-based applications.


Depending on your employer’s policies, if you don’t get specific permission from your IT department to purchase, download, and/or run hardware or software it will, likely, be termed “Shadow IT”.


Imagine a searchlight being shone across the network environment, looking for malicious activity. As its name implies, Shadow IT hides in the proverbial shadows and evades inspection and is concealed beyond the oversight of the IT team.


In this blog, we will focus on the software aspect of Shadow IT.


Why is Shadow IT a Risk?


In some circumstances Shadow IT can help you become more efficient in your job, by providing an efficient way to communicate, collaborate on projects and files, move data around, etc. However, by virtue of the fact that the IT team has not given approval for its use (and may not even know about it), it can create an additional attack surface, thus weakening the IT security team’s protection of your enterprise network environment. Additionally, under certain circumstances, it can even create legal compliance issues.


Sometimes employees, acting with complete innocence, download and run these additional (non-sanctioned) applications. They may view their actions as entirely harmless. They are blissfully unaware that what they are doing could jeopardize the security of the entire network environment.


Other times, employees may deliberately try to circumvent the restrictions or limitations imposed by the IT security department. From its survey, NextPlane indicated that, “The vast majority of IT professionals said they have experienced pushback from end users or teams when the company tried to dictate which collaboration tools should be used.” Circumventing the IT security team’s mandates on allowed technology is a very unwise approach to take and risks not only their own device’s security, but that of their colleagues and employer.


A shadowy figure representing the threat of shadow IT.

What Kinds of Technologies Constitute Shadow IT?


You might be surprised at the answer to this question. Not that there may be anything intrinsically wrong with certain applications, but the security team must be permitted to take into account the following:

[1] how these applications interact with other applications that are running on the corporate environment,

[2] the subtleties that may be present in the application’s coding (which could permit an incursion into the environment in which they are run), and

[3] how they interrelate with any compliance requirements that must be met by the company.


Prepare to be surprised... according to Code42, some well-known examples of applications that can be deemed “Shadow IT” are as follows:

-             Slack

-             gMail

-             Google Drive

-             Dropbox

-             Box

-             WhatsApp, and

-             generative AI tools.

Wow! Who would have thought it?


How Does Shadow IT Affect the Company Network?


Cisco provides some clarity on the matter. “An astonishing 98% of cloud services are adopted without any IT oversight. And when your employees act as their own tech professionals to use their favorite chat, cloud storage, and other insecure apps, that’s more than just conducting shadow IT, it’s directly putting your network at risk.”


The problem starts when the IT team doesn’t know what applications are being run on the system. How can the IT security team be expected to monitor these applications and protect the network against any threats they may invite, if the security team doesn’t even know the applications are being used?


Examples of just a few of the risks associated with Shadow IT are:

-             Unauthorized access to data

-             Introduction of malicious code

-             Unapproved changes to data

-             Breach of compliance regulations


Any of these, alone, have the potential to cause devastating fallout to the financial side of a business, not to mention the reputational implications you could face, should such incidents be publicly disclosed.


How Can We Protect Against Shadow IT Usage?


First things first: create an allowed technology list or a banned technology list, then develop the lists further, to establish company policies and protocols. You could set up a program of network sniffing, to detect any unsanctioned traffic. You could update your intrusion detection and prevention system rules to recognize disallowed technology. You can set up Shadow IT detection tools. You could mandate that your partners interact with you only using specific technologies. The list of steps you could take goes on and on.


One of the most important things you can actively do is to educate your employees. Once they understand what Shadow IT is and why it has the potential to be dangerous, you will have a whole group of advocates who can help you in your endeavor to keep your enterprise environment safe.


===

How We Can Help

To begin the process of training your employees in cybersecurity procedures and increase their awareness, as efficiently and cost-effectively as possible, NC-Expert provides you with a 1-day starter training session: CyberSAFE. ( https://www.nc-expert.com/class/certnexus-cybersafe )


In this training, your team will be taught the basics of cyber security, and will be made aware of the fundamental traps into which many employees fall, inadvertently allowing attackers access into your system.


Once this training has been completed, we can provide further trainings, which increase in complexity as your employees progress up the access permissions chain.


We can provide standard training classes or can customize a program to suit your specific needs and budget. Our trainings are delivered by expert instructors, for individual employees (in our public classes) or for private groups, virtually/online (in real time) or at your site. Contact us for details.


You are welcome to visit our website homepage: https://www.nc-expert.com/


Or, if your team needs more advanced instruction, you can view our Security training portfolio here: https://www.nc-expert.com/training-classes-by-track#NetworkSecurity

...


About NC-Expert

 

NC-Expert is a privately-held California corporation and is well established within the Wireless and Cyber Security industry certification training, courseware development, and consulting markets. 

NC-Expert has won numerous private contracts with Fortune level companies around the world.  These customers depend on NC-Expert to train, advise, and mentor their staff. 

If you are looking for the best in IT industry training then call us at (855) 941-2121 or contact us by email today.

This post appeared first on NC Expert .

NC-Expert Blog

The Realities of Transition Mode

By Phil Morgan February 11, 2025
The Grim Realities of Transition Mode Summary of a recent experience relating to Transition Mode. I have been quite vocal of my hatred of Transition Mode (for WPA3). We have a solution for this - dual SSIDs: https://wifisecuritywizard.com/general/problems-with-wpa3/ IMHO - Transition Mode is dumb! Turn on WPA3, and for everything that doesn’t support it, create a second SSID for now... while you upgrade everything! I have actually said “it’s 2025 for goodness sake, how many devices do you have that don’t do WPA3?!” Well, the other day, the universe decided to mess with me... Scenario: in one of our smaller offices, we are upgrading to Ubiquiti. I arrive on site, I upgrade the system, 5GHz only WPA3, everything is working great! I do one last check, and one of the users mentions, “Oh, the Brother color laser printer isn’t working.” (It’s a nice little device. Prints really well. Cheap to run.)

Frame Size and Wireshark

By Phil Morgan January 24, 2025
This blog is a write up of what was discussed at our AMA webinar session. (Link provided inline.)

The Importance of Training for IT Industry Certifications

By Rie Vainstein January 18, 2025
An Important Task The IT industry is one of the most competitive and dynamic sectors in today’s swiftly evolving technology landscape. Whether you are a seasoned professional seeking to advance your career, or a newcomer seeking to enter into the field, obtaining IT certifications can have a substantial impact on your trajectory. However, earning certifications is not just about passing exams, an important factor is the study and practice that goes into getting ready to sit the exam. Training for IT industry certifications is a critical investment, offering both technical and professional benefits that can pay dividends throughout your career. Enhancing Technical Expertise At its core, IT certification training is designed to deepen your understanding of critical technologies and concepts. Whether it's network administration, design, cybersecurity, or analysis and optimization, each certification offers an opportunity to master a specialized area within the IT environment. By engaging in structured training programs, you not only learn the theoretical aspects of a technology but also gain hands-on experience in applying it to real-world scenarios. For example, pursuing certifications like CWNP’s Certified Wireless Network Administrator (CWNA), CompTIA’s Network+, or Cisco’s Certified Network Associate (CCNA) requires you to develop a solid foundation in network management, administration, and troubleshooting. This level of expertise is often beyond what you would learn on the job without formal training, giving you the ability to perform tasks more efficiently and with greater confidence.
Share by: