Under the radar: Shadow IT – the eternal battle

The emergence of cloud-based self-service applications, generative AI and readily available applications from app stores brings with it a secondary challenge for IT departments: users are no longer limited to the applications managed by the company. Instead, they are increasingly using tools that they feel will simplify their work or make it more efficient. At a time when the boundaries between professional and private use of the Internet are becoming increasingly blurred, especially on mobile devices, the use of unauthorized software on corporate networks poses an ever more complex threat. The problem of so-called shadow IT is persistent and expected to increase. Gartner reported that 41 percent of employees in 2022 either acquired, modified or created technologies to use at work that were not under the control of IT . By 2027, that figure is estimated to increase to 75 percent.

Shadow IT mainly arises when employees want to work in ways that seems most efficient to them. They often have had positive experiences with certain applications or find them more effective than the solutions approved by the company. In some cases, the company may not even provide an officially approved solution for specific needs such as messaging or file sharing, prompting employees to turn to alternatives such as Dropbox, WhatsApp or Google Drive. In other cases, the procedures for requesting approval to use different resources or services are seen as slow and inefficient.

The use of unauthorized devices, apps and services poses immense security risks due to a lack of IT oversight and control. The growth of home-based and mobile work and new generative AI tools exacerbates this problem. Shadow IT differs from BYOD, where effective policies allow companies to manage risks by controlling company data and resources allowed on the user's device.

When shadow IT is in use, IT admins have no way to detect, assess, or manage risks, particularly at a time when cyberattacks are becoming increasingly common. When users become the target of ransomware or malware, admins urgently need an overview of affected devices to prevent the spread of the infection to the rest of the network. This is because cyber criminals are using increasingly sophisticated methods to infiltrate companies and encrypt sensitive data, often with the aim of extorting ransom payments. Employees are often unaware of or disregard the potential risks that the use of such software and personally managed SaaS tools can pose.

Combating shadow IT starts with shedding light on your company's digital shadows. While manual methods of checking endpoints are outdated and inadequate, advanced analytics and inventory tools that enable silent monitoring can provide a detailed understanding of the resources in use. That degree of network transparency is essential for developing an effective plan to prevent or solve the problems caused by shadow IT.

• Create transparency –Tools such as Software Asset Management (SAM), Mobile Device Management (MDM), and Unified Endpoint Management (UEM)  enable IT teams to gain visibility into software usage across their network. The removal of local admin rights and the implementation of application whitelisting further strengthen security. Cloud access security brokers (CASBs) are also playing an increasing role in IT security. They provide visibility, compliance, data security and threat protection in cloud environments, making them essential for organizations using cloud services.
   
• Establish proactive IT management – The tools mentioned above help IT admins act proactively and reduce shadow IT. This enables them to ensure control over software versions, efficiently install updates and patches, detect vulnerabilities and continuously manage end devices. Automated software distribution simplifies standardized rollouts. Self-service portals give users more autonomy within a controlled framework and relieve IT staff of the need to manually process individual user requests. Managing the IT landscape is a continuous process that needs to be constantly adapted and monitored to ensure that the procedures are optimally aligned with your requirements and constraints.
   
• Train and involve employees – Employee training also plays a central role in reducing shadow IT. Regular security training, communicating clear guidelines and creating a user-friendly IT environment can raise awareness and minimize the use of unauthorized devices and software. In times of remote working, it is also important to ensure comprehensive control over all devices that access company data and to promote a culture of security.

The existence of shadow IT has an enormous effect in one respect: IT departments need to rethink and adapt their corporate guidelines. Shadow IT provides important indications that the officially approved IT solutions do not meet all employees’ needs for efficient work processes. IT specialists should therefore always try to understand the needs that unauthorized applications meet and what secure alternatives they can offer.