The risks of Shadow IT in organizations
Iñigo Ladrón Morales.jpg)
Curious term that of Shadow IT. Something like "Shadow the ghost of IT", which consists of the set of all systems, services, applications, software and devices that a company's employees use in it without the IT department being aware of it and perhaps even without them being corporate elements or whose use is has approved.
In the same way, those digital assets, services, systems and applications that the company may have used (internally or towards the external public) in the past but that fell into disuse, obsolescence, or oblivion, could consist of part of the “Shadow IT inventory” of a company, thus expanding the attack surface and exposing it to future problems of security.
This, apart from seeming like a trifle, can entail serious risks and threats for the cybersecurity of any organization. For this reason, it is critical to identify which employees carry out this activity, with what tools, how, and what other uncontrolled corporate tools exist to take measures to eliminate or mitigate them. risks.
The policies and procedures established at the corporate level, are vital and mandatory for the entire workforce. In reality, an employee who breaks these rules is committing a very serious offense, and could even be considered a insider.
Likewise, the maintenance (and even the retirement) of the organization's assets, services, applications and systems that are no longer used or updated, is a task that should be mandatory for every IT department worth its salt.
Employees turn to Shadow IT as an alternative when corporate services, applications and tools are complex, difficult to use, slow, old, etc. Some services or applications commonly used such as Shadow IT They could be collaborative ones, devices, repositories or even personal clouds, videoconferencing and messaging services, etc., all of them not previously authorized by the IT department or the organization.
Therefore, the Shadow IT causes a security breach broad and continuous since those tools that employees use in an unauthorized manner are not controlled or managed, making it impossible to maintain them or update them. This means that the company will be unprotected against a possible vulnerability exploitation and other consequences.
Our service Shadow IT Search, identifies risks through the search for exposed assets and infrastructure that are not under the control of the IT area.
What should organizations do? The first step should be identification. Seeking Shadow IT requires that each and every technological activity be proactively tracked and monitored to identify unauthorized applications, services and systems in the organization. To do this, you can perform tasks such as:
- Audit software on all corporate devices and systems, to identify unapproved applications.
- Access control to identify who has access to unauthorized resources.
- Monitoring of services and systems in the corporate cloud, to identify accounts used without permissions.
- Network traffic analysis, looking for unknown, uninventoried devices and servers, strange connections, unusual behaviors and patterns, etc.
When we already know and have identified the sources of Shadow IT, we should highlight a risk analysis of each of them, determining if they could cause problems of improper access, data leak, security holes due to vulnerabilities, etc.
The next step is the risk mitigation, thanks to the knowledge previously obtained and the analysis of what was detected. It is necessary to take measures, which may include the elimination of the elements Shadow IT detected, the conscience of employees, and even the acceptance of said tools and their consistent and secure integration between the company's corporate tools.
Can we help you find you Shadow IT of your company?
You can expand details about our services visiting the Zerolynx page
If you prefer, contact us and we talked.
