Shadow IT

Rie Vainstein • July 22, 2024

Shadow IT

The term “Shadow IT” evokes a sense of suspicion and the imagery of people lurking in dark corners. In reality, it is far more common than most people realize.



What is Shadow IT?


According to IBM “Shadow IT is any software, hardware or information technology (IT) resource used on an enterprise network without the IT department’s approval, knowledge or oversight.” So, in short, Shadow IT is simply the term used for non-IT-department-sanctioned hardware, software, and cloud-based applications.


Depending on your employer’s policies, if you don’t get specific permission from your IT department to purchase, download, and/or run hardware or software it will, likely, be termed “Shadow IT”.


Imagine a searchlight being shone across the network environment, looking for malicious activity. As its name implies, Shadow IT hides in the proverbial shadows and evades inspection and is concealed beyond the oversight of the IT team.


In this blog, we will focus on the software aspect of Shadow IT.


Why is Shadow IT a Risk?


In some circumstances Shadow IT can help you become more efficient in your job, by providing an efficient way to communicate, collaborate on projects and files, move data around, etc. However, by virtue of the fact that the IT team has not given approval for its use (and may not even know about it), it can create an additional attack surface, thus weakening the IT security team’s protection of your enterprise network environment. Additionally, under certain circumstances, it can even create legal compliance issues.


Sometimes employees, acting with complete innocence, download and run these additional (non-sanctioned) applications. They may view their actions as entirely harmless. They are blissfully unaware that what they are doing could jeopardize the security of the entire network environment.


Other times, employees may deliberately try to circumvent the restrictions or limitations imposed by the IT security department. From its survey, NextPlane indicated that, “The vast majority of IT professionals said they have experienced pushback from end users or teams when the company tried to dictate which collaboration tools should be used.” Circumventing the IT security team’s mandates on allowed technology is a very unwise approach to take and risks not only their own device’s security, but that of their colleagues and employer.


A shadowy figure representing the threat of shadow IT.

What Kinds of Technologies Constitute Shadow IT?


You might be surprised at the answer to this question. Not that there may be anything intrinsically wrong with certain applications, but the security team must be permitted to take into account the following:

[1] how these applications interact with other applications that are running on the corporate environment,

[2] the subtleties that may be present in the application’s coding (which could permit an incursion into the environment in which they are run), and

[3] how they interrelate with any compliance requirements that must be met by the company.


Prepare to be surprised... according to Code42, some well-known examples of applications that can be deemed “Shadow IT” are as follows:

-             Slack

-             gMail

-             Google Drive

-             Dropbox

-             Box

-             WhatsApp, and

-             generative AI tools.

Wow! Who would have thought it?


How Does Shadow IT Affect the Company Network?


Cisco provides some clarity on the matter. “An astonishing 98% of cloud services are adopted without any IT oversight. And when your employees act as their own tech professionals to use their favorite chat, cloud storage, and other insecure apps, that’s more than just conducting shadow IT, it’s directly putting your network at risk.”


The problem starts when the IT team doesn’t know what applications are being run on the system. How can the IT security team be expected to monitor these applications and protect the network against any threats they may invite, if the security team doesn’t even know the applications are being used?


Examples of just a few of the risks associated with Shadow IT are:

-             Unauthorized access to data

-             Introduction of malicious code

-             Unapproved changes to data

-             Breach of compliance regulations


Any of these, alone, have the potential to cause devastating fallout to the financial side of a business, not to mention the reputational implications you could face, should such incidents be publicly disclosed.


How Can We Protect Against Shadow IT Usage?


First things first: create an allowed technology list or a banned technology list, then develop the lists further, to establish company policies and protocols. You could set up a program of network sniffing, to detect any unsanctioned traffic. You could update your intrusion detection and prevention system rules to recognize disallowed technology. You can set up Shadow IT detection tools. You could mandate that your partners interact with you only using specific technologies. The list of steps you could take goes on and on.


One of the most important things you can actively do is to educate your employees. Once they understand what Shadow IT is and why it has the potential to be dangerous, you will have a whole group of advocates who can help you in your endeavor to keep your enterprise environment safe.


===

How We Can Help

To begin the process of training your employees in cybersecurity procedures and increase their awareness, as efficiently and cost-effectively as possible, NC-Expert provides you with a 1-day starter training session: CyberSAFE. ( https://www.nc-expert.com/class/certnexus-cybersafe )


In this training, your team will be taught the basics of cyber security, and will be made aware of the fundamental traps into which many employees fall, inadvertently allowing attackers access into your system.


Once this training has been completed, we can provide further trainings, which increase in complexity as your employees progress up the access permissions chain.


We can provide standard training classes or can customize a program to suit your specific needs and budget. Our trainings are delivered by expert instructors, for individual employees (in our public classes) or for private groups, virtually/online (in real time) or at your site. Contact us for details.


You are welcome to visit our website homepage: https://www.nc-expert.com/


Or, if your team needs more advanced instruction, you can view our Security training portfolio here: https://www.nc-expert.com/training-classes-by-track#NetworkSecurity

...


About NC-Expert

 

NC-Expert is a privately-held California corporation and is well established within the Wireless and Cyber Security industry certification training, courseware development, and consulting markets. 

NC-Expert has won numerous private contracts with Fortune level companies around the world.  These customers depend on NC-Expert to train, advise, and mentor their staff. 

If you are looking for the best in IT industry training then call us at (855) 941-2121 or contact us by email today.

This post appeared first on NC Expert .

NC-Expert Blog

Troubleshooting Wireless Networks with Ekahau

By Phil Morgan March 13, 2025
Troubleshooting Wireless Networks with Ekahau: A Professional Engineer’s Guide Wireless networks have become the backbone of modern business infrastructure. From office environments to large-scale enterprises, ensuring a seamless wireless experience is essential for productivity. However, despite advancements in Wi-Fi technology, network performance issues often arise, ranging from signal interference and dead zones to capacity overloads and channel mismanagement. To tackle these issues efficiently, professional engineers rely on powerful tools. One such tool, Ekahau AI Pro, has become a gold standard in the wireless industry for troubleshooting and optimizing Wi-Fi networks. This blog delves into troubleshooting wireless networks using Ekahau tools, providing practical examples and technical insights to guide professional engineers in improving network performance.

Post-Quantum Cryptography: The Future of Digital Security?

By Rie Vainstein March 3, 2025
Futureproofing Our Security In our increasingly connected world, the security of digital information has never been more critical. From banking transactions to private communications, our data is constantly transmitted and stored across the internet. The current systems that protect this data rely on cryptography, a branch of mathematics that helps keep information secure by encoding it in ways that are difficult to decode without the proper key. However, with the rise of quantum computers, traditional cryptography is facing new and significant threats. This is where Post-Quantum Cryptography comes into play. What is Post-Quantum Cryptography? Post-Quantum Cryptography (PQC) [1] refers to cryptographic algorithms that are specifically designed to be secure against the power of quantum computers. Quantum computers, once they become practical, will be capable of solving complex mathematical problems much faster than classical computers. This will render many of the encryption methods we rely on today [such as RSA (Rivest, Shamir, and Adleman – initials of the inventors) and ECC (Elliptic Curve Cryptography)] vulnerable to attack. Quantum computers operate on quantum bits, or “qubits”, which can exist in multiple states simultaneously, unlike classical bits that are either a zer (0) or one (1). This allows quantum computers to perform certain calculations exponentially faster than classical computers. For example, in a matter of seconds, a quantum computer could potentially break an RSA key, which is considered secure by today’s standards. As quantum computing technology advances, the need for PQC becomes even more urgent.

Designing a Wi-Fi Network

By Phil Morgan February 27, 2025
Designing a Wi-Fi Network This is the first in a series of blogs on Wi-Fi operation, design, and troubleshooting. Designing a Wi-Fi network is much easier if you have the right procedures and tools in place. First you must collect data about the network: What are the requirements of the network? What is the goal of the new network? What is it meant to achieve? Are there any constraints you have to overcome? Next you have to decide what wireless vendor is being used? One of the most important things to get is an accurate map (or plan) of the site and the various floors.
Share by: