Those who run IT departments have what I like to call ‘the burden of knowledge’. They know what can go wrong and how wrong it can go, so they also know how important it is to put the right safeguards in place to prevent that from happening.
Other departments don’t have this experience and when it comes to implementing IT, they only think about the front-end. Enter Shadow IT.
It’s a well-established issue now and one brought on by the advent of the cloud and the software-as-a-service (SaaS) applications that came with it. Other factors include the growth of BYOD culture within organisations and the wider consumerisation of IT.
Gartner predicts that by 2020, one in three cyberattacks will be made via shadow IT resources within the business. Agents of cybercrime know it’s a weak point and they’re willing to exploit it.
The big offenders
While no specific department is exempt from blame, our experience with customers suggests marketing departments are one of the biggest perpetrators of this practice, followed closely by HR and finance.
It comes as no surprise – some of the biggest drivers of shadow IT are business productivity apps such as Microsoft Office or Google Docs; file-sharing, storage and back-up apps like Dropbox; and social media platforms – many of which are viewed as part-and-parcel of daily work in these departments.
The problem is that without the approval and input of IT, using these apps can pose a threat to the business. Other departments tend to think more about the front-end, what the app can do rather than the necessary security, infrastructure and back-up that’s needed to prevent any issues or outages.
IT knows this side all too well – an experienced systems developer or integrator may have faced that march to the CEO’s office after an outage that has had a negative impact on the business to explain what went wrong.
Outages are just the beginning too. Shadow IT can lead to data loss, issues with compliance and data sovereignty, privacy breaches, and conflict with the company’s wider IT strategy.
Don’t forget about IT
Jump back 15 years – ERP was probably the most complicated application the IT department had to manage outside the main responsibility of looking after the data centre itself.
As technology has advanced, so has the number and complexity of the types of applications the IT department manages. If everything under the Shadow IT umbrella is included in that, you might be talking hundreds or even thousands more. Research from Cisco estimates that enterprise customers are using more than 1,200 cloud services and that this is growing at a rate of 112 per cent per year.
This is too much for any IT department to logically manage. What’s needed is communication and cooperation between IT and other departments to make sure the right applications are being implemented securely to both support different departments’ needs and the organisation’s wider IT strategy.
Ironically, the public cloud – as well as the likes of converged infrastructure – has also simplified the back-end, meaning IT departments who are using these platforms should have more time to spend on working with other departments and, in some cases, creating bespoke applications that might stop them resorting to an unknown app to do the job.
IT’s input should mean that not only the right security and backup requirements are catered to, but also that the right critical infrastructure is in place to keep the organisation protected.
Moreover, it’s important that IT owns the overall IT infrastructure vision and hence acts as the IT integrator within the business. This optimises resources, both in terms of time, effort and money, and is hampered by other departments going rogue. Centralising IT needs through IT can even help save on CAPEX and OPEX, remove redundant IT services and maximise existing resources.
Looking to IoT
We’re not quite there yet with the Internet of Things, but it’s coming. A study from Aruba Networks highlights that more than three quarters of Australian businesses are planning to adopt an IoT strategy by 2019, which is positive. However, the survey also revealed huge disparity between what businesses think constitutes IoT.
It’s still unclear what forms the phenomenon will take and its exact impact on business, but one thing that’s clear is that it will add to the already growing data deluge businesses face and put more pressure on the edge of the network, which has to manage these devices and the data going through them.
The wave of IoT will add more devices, more applications and more potential shadow IT problems into organisations. With that will come further vulnerabilities. This means it’s more important than ever that IT and other departments find some common ground to make sure new apps are sanctioned and fit with the overall strategy.
- Cisco products hit by critical Samba bug, investigations still underway
- Backups can help beat ransomware, but one small mistake can lose them too
- Basic security hygiene blocked WannaCry – but a comprehensive defence needs more
- AusCERT 2017 - Local start-up takes out best security initiative award at AusCERT 2017
- Businesses know they’re sitting ducks as complex, costly cyberattacks overwhelm defences
- The lifecycle of cybercrime