Shadow IT – what are the risks?

A shadow organisation is increasingly building up inside organisations and will threaten their overall security. This is not the mafia or a criminal subculture, but an alternative to the organisation’s IT department.

Citizen programmers + rogue devices + BYOD + tech-savvy employees = shadow IT

The workforce becomes more tech-savvy as the millennial generation is becoming a major part of the workforce. Each department has its own group of geeks that the rest of the department turns to as a first line of support. I have seen this everywhere I have worked; people like me are asked questions or asked to fix things because we’re immediately available. We often understand IT and the business function; we give advice quicker, and we’re trusted more than IT support, who can live up to the stereotype of the IT Crowd and the stock phrase, “Turn it off and turn it on again”.

In the 21st century, employees are becoming “citizen programmers”, developing their own apps with macro programming languages to manipulate raw data and draw useful information and reports. These apps are outside the IT department’s control and usually aren’t known to those involved in the business continuity and disaster recovery activities. Citizen programmers can generate valuable applications that become mission-critical without being documented.

These tech-savvy employees and even those with less technical awareness are bringing consumer technology into the office either as part of BYOD or as rogue devices that IT and the organisation know nothing about. These devices can introduce a range of attack vectors that the organisation may not be aware of and is therefore unable to apply appropriate controls. I’ve seen employees set up Google’s Chrome Remote Desktop to allow remote access to their workstation so they can be more productive out of the office, and all the while IT has not been aware of this remote access channel.

So, what are the risks of this shadow IT within your organisation?

  • No governance of the activities.
  • Lack of security awareness and alignment with business mission.
  • Increased risk of data leakage.
  • Increased attack surface area.
  • Dependence on unknown and uncontrolled applications.

What can be done? IT, like cyber security, needs to be aligned with the business needs. This requires better integration with the end users to ensure they can do their jobs in a secure manner that does not affect productivity; it needs to allow initiative and innovation but without impacting security.