“Shadow IT” is a real threat for IT services. But where does it come from? What risks does it pose for businesses? What can be done about it? We asked five experts to discuss this important challenge, at a time when the cloud promises to revolutionise business practices.
In business, the IT departments are usually at the forefront when it comes to measuring the impact of these changes on employee practices. However, recent years have seen the emergence of new unsafe practices. One of these is “Shadow IT”; the use of applications and services, often cloud-based, in parallel with the “official” SaaS offered by the IT department. This practice is currently increasing in pace with the exponential growth of cloud services and connected objects. In a recent report, another cybersecurity player estimates that businesses currently employ, on average, 1,935 cloud services. This figure climbs by 15% year on year. As for “Shadow IT”, it is difficult to quantify the threat thanks to its diffuse and temporary nature. Nonetheless, a 2015 PwC survey indicated that 15 to 30% of IT expenses were incurred outside of the official budget. And there is little doubt that this tendency has continued to grow in the meantime.
New practices, new risks
“Shadow IT means that part of the company’s information assets do not come within the control of the IT department”, according to Emmanuel Dupont, Global Chief Security Officer at Oxya (Hitachi Group). Whether it's about data leaks, security breaches or exposure to malware, this partial loss of control is not without its significant risks. “When information is transferred outside of the boundaries defined by IT, the risk is also transferred but not with the protective measures established by the company.“ And this risk is increasing as there has been a 28% rise since last year in incidents considered as threats. At the same time, the sharing of sensitive data via a public access link has increased by 23% in two years. “Today, the greatest risk is not from a massive direct attack but rather the employees themselves,” says Emmanuel Dupont. “When they use tools without the knowledge of the IT department they become privileged and defenceless targets.”
Today, the greatest risk is not from a massive direct attack but rather the employees themselves.
Emmanuel Dupont, Global Chief Security Officer at Oxya (Hitachi Group)
Paul Fariello, a member of Stormshield’s Security Intelligence team, reckons that this practice has been boosted by the emergence of new business models. In more flexible and open organisations, the itinerant nature of staff conditions can sometimes lead to them using their own digital equipment (laptop, personal phone, connected watch or voice assistants) in their professional capacity. “When personal devices are used, the usual data circuits are bypassed and secure VPNs are sidestepped. But, if employees have fluid locations, it is difficult to systematically monitor where and how they connect.”
Financial factor and time factor
Our experts agree that the growth of Shadow IT is a direct consequence of corporate cost reduction policies. “In-house IT has long been considered as a cost centre,” says Denis Lechevin, CISO at Worldline (E-payment). “The business lines have therefore placed the services offered by IT departments in competition with external services, whose declared costs are lower.” And this, without necessarily weighing up the risks incurred.
And, in many cases, the IT departments are slow to react. “This lack of agility on the part of the IT departments goes a long way to explaining the growth of Shadow IT,” says Johanne Ulloa, NoLimitSecu podcast host. “If employees needs a resource but the unwieldiness of the process means that the IT department are slow to provide it, they will go through a third party.” Thus, the time factor plays a pivotal role. But IT departments often seem to be like a “steamroller that starts off but reacts too slowly,” points out Denis Lechevin. But this impression is exacerbated by the fact that the company often brings in the IT department too late in the process. It is the ease of access and timely deployment of external solutions that leads to this discrepancy. And the urgency of business practice then finds itself at odds with the need to structure IT services in the long term. “Too often, the IT departments are seen as in-house service suppliers, in competition with external suppliers,” reckons Denis Lechevin.
This lack of agility on the part of the IT departments goes a long way to explaining the growth of Shadow IT.
Johanne Ulloa, NoLimitSecu podcast host
However, “third-party solutions without prior approval from the IT department are never long-term solutions,” says Franck Nielacny, CIO at Stormshield. “Even if the device works and is adopted by the staff, it can prove very complicated to incorporate it retrospectively into the company’s official Information System. Network changes, access policies and even security requirements are all potential sticking points. The same applies to personal equipment.”
Awareness rather than force
So, what can IT departments do to stem the growth of Shadow IT? “There are three types of response. Prevention, cure and force,” says Johanne Ulloa. In the first example, the IT departments are the guarantors of employee awareness. They must draw attention to bad practices to avoid and good practices to adopt. “The CIO must find a way to "slip" into conversations and projects between business units, in order to optimise the security of these exchanges,” according to Franck Nielacny. And it must be done as subtly as possible. Because, very often, “the security layers that are added are seen as awkward,” says Paul Fariello. “The challenge, then, is to implement resources in a way that they become a normal part of day-to-day staff routines.“ The UX (User eXperience) aspect and the integration of IT into development projects play an essential role here, so that they use IT-validated solutions rather than third-party applications.
The CIO must find a way to "slip" into conversations and projects between business units, in order to optimise the security of these exchanges.
Franck Nielacny, CIO at Stormshield
As part of a curative policy, the IT department would try to “determine if such services are already being used by the company, using mainly technical methods such as a study of log files,” explains Johanne Ulloa.
The last approach would be the use of force. With the introduction of GDPR, some companies have already tightened their policies. “There is a real regulatory challenge,” he adds. “The use of third-party applications or services, leads to a risk of non-compliance with GDPR guidelines, especially as regards the management of personal data.“ Nevertheless, in the latter case, raised awareness will always be preferable to force.