How to Curb Shadow IT and Technical Debt to Reduce Cyber Risk
Joseph Carson
These days, IT departments need to track an ever-growing number of devices and accounts. Once you lose track of the services that employees use, you end up with shadow IT and technical debt—two issues that can lead to serious security blunders and excess spending.
Keep reading for an overview of shadow IT and technical debt and strategies for avoiding these issues and reducing security risk.
What is shadow IT? A simple definition
Shadow IT refers to unknown, unmanaged systems that employees use and are off the radar of IT and security teams. Shadow IT can take on a variety of different forms—like cloud accounts, messaging apps, and laptops, among other things.
Organizations dealing with shadow IT leave the door open for cyberattacks and increase the risk of data exposure. This increased exposure can lead to financial penalties and reputational harm, among other undesirable outcomes.
Shadow IT is a growing problem among businesses of all sizes, particularly at the enterprise level. According to Everest Group, shadow IT spend comprises 50% or more of total IT spend in large enterprises.
What are the top causes of shadow IT?
Shadow IT security risks can stem from many different causes. With that in mind, let’s take a look at some shadow IT examples that businesses often encounter.
1. Remote and hybrid workers
Today, business users require special tools and services to remain productive in remote and hybrid environments. To increase their output, they often use a variety of solutions for text messaging, collaborating, screen sharing, data sharing, and more.
What’s more, employees often have administrative access to local workstations and applications. Should a cyberattacker gain access to a device with local administrative rights, they can leverage that access to steal passwords, install malware, and exfiltrate data. They may even be able to elevate their privileges to gain access to the broader IT environment.
2. Connected devices
Workers may also have connected at-home devices that pair with their work devices—like smart speakers, monitors, and home printers.
All of these typically require software to manage, configure, and use. They also typically have limited software updates. This often results in outdated and unpatched software, leaving remote employees exposed and vulnerable to more attacks.
3. Unmanaged browsers
The majority of workflows now take place over internet browsers, and most users today have at least two or more running on their machines. Unfortunately, most organizations don’t manage browsers, which creates a major security blind spot.
Browsers often prompt users to store sensitive credentials, passwords, and credit card information. Bad actors can target this critical information and potentially gain entry into private systems and databases or make fraudulent payments on your company’s behalf.
4. Productivity applications
Users often turn to third-party productivity applications to complete tasks without requesting approval from IT. These apps may originate from the Google Play or App Store or they may be browser-based. Applications downloaded and installed without IT review may contain security vulnerabilities. They may not have security controls or get updated as often as they should, increasing shadow IT risk over time.
When employees use shadow IT applications, sensitive data can end up stored in all sorts of repositories, which may put your entire organization at risk—or, at the very least, obscure business intelligence from the rest of the team.
At the same time, software can have conflicting security models that don’t align with your corporate policies for access control or data use. To illustrate, an employee in a healthcare environment may download an application that isn’t HIPAA-compliant. This can put sensitive patient data at risk and lead to potential fines and penalties for the organization.
5. Fast production cycles
Developers and DevOps teams are under rising pressure to move quickly and efficiently. However, they often sacrifice security for speed, which increases shadow IT security risk.
For example, developers may spin up instances in the cloud and disappear just as fast. When this happens, data can live on in a cloud environment without IT or security teams ever knowing about it.
Shadow IT policies help you get control
Simply put, if you don’t give users access to secure tools and seamless workflows, they’re liable to take matters into their own hands and source solutions on their own. For this reason, IT and security teams need to tread carefully and balance security and privacy mandates with productivity needs. Here’s how you can reduce shadow IT security risk.
For business users
- Use enterprise-scale password managers like Secret Server for business users, which is more secure than consumer-grade password managers or storing passwords with your browser.
- Leverage the Browser Password Discovery Tool to discover browser-stored passwords among your Active Directory users.
- Increase oversight with policy-based solutions for application control, like Privilege Manager. That way, you can automatically check applications users wish to download against lists of trusted applications and the latest threat intelligence on suspicious applications. You can sandbox any unknown, untrusted application for further review before you grant users access.
- Use the least privilege Discovery Tool to discover which applications already on your network are known to be malicious or not secure.
For developers and DevOps teams
- Connect privilege access management tools into the DevOps process. Grant developers privileges to access cloud and CI/CD toolchains at the speed they require while giving you the viability you need to maintain tighter control over your environment.
For both groups, it’s key to avoid inserting friction into workflows. That being the case, it’s a good idea to keep security tools in the background with invisible privileged access management. With this approach, business users, developers, and even systems administrators can get their jobs down without worrying about remembering passwords, let alone keeping them fresh. In fact, they never even need to see passwords because all the management happens automatically.
What is technical debt and how does it relate to shadow IT?
Shadow IT isn’t just about business users and developers working outside the scope of IT security. In fact, IT teams can also be guilty of shadow IT when they don’t work in a coordinated way.
This lack of coordination contributes to technical debt, which accumulates when teams take on new tools as an easy fix instead of putting the time, effort, and capital into taking a long-term term approach. For example, IT might have skipped the usual due diligence in the rush to support remote workers over the past couple of years.
Many IT departments are making short-term decisions on IT solutions by deploying single-purpose tools to help keep employees productive and the company operational. They often purchase multiple, siloed products or make quick, short-term decisions that increase the company’s technical debt.
What are the costs and risks of technical debt?
Technical debt can be very wasteful for an organization, making it a big problem for companies with tight budgets and limited resources.
Some of the initial short-term expenses that come with technical debt include heavy renewal costs, maintenance, training, and upgrades. At the same time, tools tend to be disparate and highly dependent on users. They also come with limited integrations.
User-dependent systems can also be very difficult to manage at scale, and easy to forget. For example, someone may set up a system and then leave for another opportunity. When this happens, it’s easy to lose track of what the system is for and where it came from.
How can IT reduce technical debt to mitigate shadow IT risk?
To effectively reduce technical debt, it’s important to think strategically and make decisions that align with your company’s long-term focus. It’s also important to future-proof cybersecurity and move away from point solutions in favor of feature-rich technologies that can grow with the business and add value over time.
At the end of the day, integration and automation can both play an important role in reducing technical debt and shadow IT while boosting security. For more information on what you can do to secure your IT environment and keep sensitive data secure, take a look at our Cloud Security Best Practices Checklist.
What does cybersecurity like this cost? Not as much as you think