What is Shadow IT?

Estimated read time: 1:20

    Summary

    Shadow IT refers to unauthorized software, hardware, or IT resources within an enterprise network, often leading to security, compliance, and operational challenges. The video explores real-world examples, the reasons behind the prevalence of Shadow IT, its potential benefits, and associated risks. Unauthorized use of such technologies can significantly increase the likelihood of data breaches, compliance issues, and operational inefficiencies, although it can also boost agility and productivity among employees. Mitigation strategies include aligning identified Shadow IT with existing security protocols and utilizing tools like Attack Surface Management and Cloud asset security brokers.

      Highlights

      • Shadow IT operates outside IT's awareness, raising security concerns. 🚨
      • 90% of employees use Shadow IT for its functionality, risking breaches. 📈
      • Organizations discover 30% more exposed assets after reviews. ❗
      • Non-compliance with regulations like GDPR due to Shadow IT poses legal risks. ⚖️
      • Proper security and mitigation strategies can harness Shadow IT's advantages. 🔨

      Key Takeaways

      • Shadow IT consists of unsanctioned software or hardware used within an enterprise without IT's knowledge. 💻
      • It increases data breach risks, compliance issues, and operational inefficiencies. 🚨
      • Despite its risks, Shadow IT can provide agility and improved productivity. 🚀
      • Employers use personal devices and unapproved software for perceived better functionality. 📱
      • Mitigation includes aligning Shadow IT with firm protocols and using monitoring tools. 🔒

      Overview

      Shadow IT represents a significant challenge for organizations today. It refers to the use of applications and devices within an enterprise without official approval from the IT department. While these tools often bring enhanced functionality and agility, they also introduce considerable risks including security breaches, data inconsistency, and regulatory non-compliance. The video by IBM Technology explores these dynamics in detail, presenting both the upsides and downsides of Shadow IT.

        A key worry about Shadow IT is its potential to operate completely under the radar of IT teams. When employees use personal devices or non-sanctioned software and hardware, the organization becomes vulnerable to a host of attacks. Without proper monitoring, Shadow IT can lead to 30% more exposed assets and create significant inefficiencies. However, it's also acknowledged that Shadow IT can enhance productivity and offer better tools for employees, which complicates its management.

          IBM's video suggests that to effectively manage Shadow IT, organizations need to look beyond simply banning it. Instead, integrating appropriate security measures and using specialized tools like Attack Surface Management solutions can mitigate risks while still allowing employees the flexibility they desire. This balanced approach aims to protect data and ensure compliance without stifling innovation within teams.

            Chapters

            • 00:00 - 00:30: Introduction to Shadow IT In the Introduction to Shadow I.T, the session highlights the hidden dangers within technology infrastructures, known as Shadow I.T. The discussion covers how these unauthorized systems can affect security, compliance, and operational efficiency. Real-world examples are used to illustrate what Shadow I.T involves, its causes, potential benefits, and inherent risks.
            • 00:30 - 01:00: Definition and Examples of Shadow IT This chapter discusses the concept of Shadow IT, highlighting its definition and significance as a concern for Enterprise businesses. Shadow IT encompasses software, hardware, or IT resources present within an Enterprise's network without the IT team's awareness. The distinction between Shadow IT and malicious software is also emphasized, clarifying that while Shadow IT represents unsanctioned resources, it is not inherently malicious like malware.
            • 01:00 - 02:00: Prevalence and Adoption of Shadow IT This chapter discusses the concept of 'shadow IT,' which refers to employees using unauthorized or personal technology resources for work purposes. Examples provided include employees sharing files through personal Dropbox accounts or thumb drives instead of the company's official file-sharing system, participating in meetings via Zoom when the company standard is WebEx, and using personal mobile devices or grammar-checking tools not officially approved by the organization.
            • 02:00 - 03:30: Risks of Shadow IT 80% of employees prefer using Shadow IT due to its quick adaptability and superior functionality.
            • 03:30 - 05:00: Attack Surface and Data Insecurity As organizations emphasize efficiency and flexibility, shadow IT—technology used without explicit organizational approval—poses significant risks. Operating outside the IT department’s oversight means vulnerabilities often remain unnoticed and unaddressed, making these unauthorized systems prime targets for security breaches.
            • 05:00 - 06:00: Regulatory Compliance The chapter 'Regulatory Compliance' opens with a discussion on the financial implications of data breaches, highlighting a 2023 IBM article that reports the average cost of a data breach in the U.S is 9.4 million dollars. The narrative then pivots to Shadow I.T, emphasizing its role as a significant factor that elevates the risk of data breaches. The chapter promises to explore the various risks and challenges posed by Shadow I.T, providing insights into its impact on regulatory compliance.
            • 06:00 - 07:00: Impact on Business Efficiencies The chapter titled 'Impact on Business Efficiencies' discusses how organizations often find more exposed assets than anticipated when conducting attack surface management reviews. On average, they discover 30% more exposed assets than initially known. It highlights that the influx of new assets presents vulnerabilities that might have otherwise gone unnoticed, emphasizing the importance of comprehensive visibility to manage and mitigate risks effectively.
            • 07:00 - 08:30: Statistical Insight on Shadow IT Risks The chapter discusses the risks associated with Shadow IT, particularly focusing on data insecurity. It highlights the issues of storing and accessing data across various unauthorized applications and devices, leading to data inconsistency. This scattered data can be improperly accessed and distributed, creating potential risks for businesses.
            • 08:30 - 10:30: Benefits of Shadow IT This chapter discusses the benefits of using Shadow IT within organizations. Despite the risks such as outdated data and compliance issues with strict regulations like HIPAA, PCI DSS, and GDPR, Shadow IT can provide flexibility and innovation by allowing employees to use tools they find most effective. The key is balancing the advantages with appropriate risk management to prevent potential fines and damage to reputation.
            • 10:30 - 15:00: Mitigating Risks of Shadow IT This chapter explores the various risks associated with Shadow IT, which refers to the use of IT systems, devices, software, applications, and services without explicit IT department approval. The main focus is on how Shadow IT can impact business efficiencies. It starts with acknowledging legal risks for businesses and underlines how not all Shadow IT applications and resources may seamlessly integrate into the existing IT infrastructure. The narrative sets the stage for a deeper examination of its implications on business processes.
            • 15:00 - 15:30: Conclusion and Call to Action The chapter discusses the potential challenges posed by shadow IT to infrastructure. Shadow IT can disrupt workflows and information sharing if the IT department makes changes to the network or connecting resources. This disruption may hinder or completely stop a team's workflow if they rely on such processes. A 2022 article is referenced to highlight these risks.

            What is Shadow IT? Transcription

            • 00:00 - 00:30 are you aware of the risks lurking within your technology landscape join us today as we uncover the truth behind Shadow I.T and how it can impact your security compliance and operational efficiencies in today's session we will explore some real world examples that illustrates what shadow I.T entails its underlying causes potential benefits and inherent risks let's start off with have you heard of Shadow I.T
            • 00:30 - 01:00 and how it's a big problem for Enterprise businesses it refers to Software Hardware or it resources that are in the Enterprise Network without your it teams knowledge and it's very important for us to differentiate Shadow I.T with malicious assets because Shadow I.T is not malware per se it is unsanctioned resources deployed by
            • 01:00 - 01:30 your authorized users here's a few examples to really paint the picture let's say your employees are sharing files from their own personal Dropbox or thumb drive instead of using the company approved file sharing system or they're possibly joining meetings in Zoom instead of the company standard which may be WebEx or even using innocuous grammar checks or maybe using their own personal mobile
            • 01:30 - 02:00 and laptop devices in the Enterprise Network unfortunately for businesses and their security teams around 80 percent of employees are preferring to use Shadow I.T because of its quick adaptability and adoption across the team as well as its perceived Superior functionality some of the employees may even be recommended to use these different platforms and applications from their clients and partners maybe to enhance
            • 02:00 - 02:30 collaboration on projects per se the trend here that highlights for us is that there is a high demand in efficiency and flexibility in today's Workstation the flip side here is that as I mentioned before Shadow it is operating outside the awareness and protection of the IT team so any vulnerabilities that could have been tied to them have gone unaddressed making Shadow I.T Prime targets for
            • 02:30 - 03:00 adversaries and according to the article published in 2023 by IBM the average cost of a data breach in a U.S company is around 9.4 million dollars the reason why I'm bringing this up is because Shadow I.T is actually a key component that increases the likelihood of a data breach now let's dive into some key points on Shadow I.T such as the risks and challenges that it brings forth here's what you need to know
            • 03:00 - 03:30 there is increase in exposure on average organizations that undergo an attack surface management review discover that they have 30 percent more exposed assets than they were initially aware of and as mentioned since there's so many new assets that are coming into their Vision there was a lot of vulnerabilities that could have gone under their radar as well making it a
            • 03:30 - 04:00 key risk to the business another risk is data insecurity with storing and accessing data across multiple Shadow I.T applications and devices it poses the concern of data in consistency because you're having this data scattered across multiple different resources and they could be accessed and distributed as an official invalid and
            • 04:00 - 04:30 outdated data another risk is compliance with regulations out there such as HIPAA PCI DSS and gdpr they have very strict regulations on handling personally identifiable information and if you're not compliant you could risk paying a hefty fee you could risk your own reputation being on the line and even
            • 04:30 - 05:00 facing legal action against your business and last but definitely not least because there's a whole lot of risks out there with Shadow I.T but the fourth one that we're going to be exploring today is business efficiencies thank you not all of Shadow I.T or multiple different applications and resources that are Shadow I.T is going to seamlessly integrate into your it
            • 05:00 - 05:30 infrastructure and this could really hinder workflows and the sharing of information because if your it Department steps in and tries to change anything on the network or any connecting resources it could really impede or completely disrupt a relied upon Shadow I.T process from executing that the team really relies on to continue their workflow with all of these risks in mind I also want to pull out a stat here from a an article published in 2022 which covers
            • 05:30 - 06:00 the surface the state of attack surface management and it shows that eight in 10 that's right 8 and 10 organizations have fallen victim to Shadow I.T compromise within the last year and even though the risks are very apparent and they've only been increasing so has the usage of Shadow I.T because employees now have very simple and easy access to SAS based
            • 06:00 - 06:30 platforms they're also using their personal mobile and laptop devices on the Enterprise Network with the shift to the remote Workforce so that's also a very scary but transparent view for us to have on the risks that shadow I.T can bring forth now with a clear understanding of the risks of Shadow I.T it's also important for us to consider the benefits that may come to the team and the company for us to address it accordingly so let's cover some of the benefits
            • 06:30 - 07:00 starting off with an increase in agility so Shadow I.T enables your employees to adapt quickly and adopt two different platforms that they choose so they're also leveraging new technologies that are going to increase the agility of the business there's also the benefit of an increased
            • 07:00 - 07:30 flexibility with your employees because now that they're leveraging what they deem are the tools that best fit their role they're performing in a more productive way and they're also having a more exciting experience that they're more satisfied with another benefit here is streamlining
            • 07:30 - 08:00 your it assets because with Shadow I.T it's reducing the cost and resources you need to onboard new it assets onto your company so taking the risks and benefits into account it's time for us to effectively mitigate Shadow I.T now let's talk about mitigations so we've seen that even though there are
            • 08:00 - 08:30 a lot of risks tied to Shadow I.T we can't ignore the benefits that the team gives back for us as feedback we don't want to completely eliminate Shadow I.T because we see that a lot of them maybe work more productively and they're more satisfied with their workflow so to address that we can then bring Shadow I.T that we currently have identified along the way and align it with our current standard
            • 08:30 - 09:00 it security protocols so while still taking the team's feedback into the benefits while still keeping a priority on security another mitigation is implementing different tools that are out there to really help us addressing Shadow I.T such as ASM or attack service Management Solutions that will continuously monitor our internet facing assets or anything
            • 09:00 - 09:30 that has been exposed along the way to also discover and identify the vulnerabilities there so you can assess them and mitigate them accordingly another tool is going to be Cloud asset security brokers this tools allows you to establish secure connections between your employees and your Cloud assets while also implementing security measures such as encryption access controls and
            • 09:30 - 10:00 malware detections along the way and it also has some abilities to continuously fetching your Cloud assets so anything that had been previously unknown will come to light by understanding the risks and benefits that comes with Shadow I.T and implementing the appropriate security measures organizations can harness the advantages while mitigating the vulnerabilities ensuring security and efficiency in their technology landscape thank you if you like this video and
            • 10:00 - 10:30 want to see more like it please like And subscribe if you have questions please drop them in the comments below