When it comes to cybersecurity risk, it’s easy to overlook one of the primary targets that hackers are starting to go after: your own employees. More specifically, cyber criminals are now going after what’s known as companies’ “Shadow IT” ecosystem, hacking into software and apps employees use without the approval and/or knowledge of your IT department.
According to Gartner, by 2020 approximately one-third of successful enterprise cyber-attacks will be on data and systems located in shadow IT resources. And that’s not to mention the regulatory compliance risks that organizations run by having sensitive data potentially being handled, transferred, and passed around on apps that may or may not have the proper security measures.
I recently caught up with globally recognized cybersecurity expert and author Sai Huda to help demystify shadow IT, explain the true risks that shadow IT presents, and provide IT leaders with sound strategies to tackling shadow IT within their organizations.
John Shin: So what exactly is “Shadow IT” and why is it a growing cybersecurity risk?
Sai Huda: Simply put, “Shadow IT” is what’s created when an employee or a group of employees in an organization goes around the IT department and starts using unauthorized apps, software or web services. It’s IT that is being used at work without the knowledge of the organization’s IT department.
Shadow IT is a cybersecurity risk because it won’t be on the IT or security department’s radar and will provide an entry point for cyber attackers to intrude into the network by exploiting vulnerabilities on the third-party app, software or web services.
Moreover, it’s a growing cybersecurity risk because employees are increasingly exposed to apps or web services at home that they like because of the user friendly functionalities so when they arrive at work they gravitate to using the same apps or web services for convenience and productivity, and don’t want to be blocked or hindered by the IT department.
But what the employee is not thinking about is that with each such use, an entry point is created for a cyber attacker to exploit.
Assess your cybersecurity
JS: What are some common examples of Shadow IT usage in businesses today?
SH: Without certain safeguards and preventive and detective controls in place, any organization can fall victim to Shadow IT, face a cyberattack and suffer loss of data, IP or disruption from ransomware. By that time, it’ll be too late (and not of much help) to realize that the root cause was Shadow IT.
One common example is when an employee downloads an app without approval from the IT or security department and starts using it and the app contains a remote access trojan that a cyber attacker exploits for the initial entry point and credential theft.
In another scenario, an employee that uses a file sharing web service at home receives an email at work from someone familiar, with a link to the file sharing web service. However, it’s a phishing email and the employee is fooled. The employee clicks on the link, downloads a malware and provides the cyber attacker the entry point and potentially much more.
JS: From a compliance perspective, what unique challenges does Shadow IT present to an organization?
SH: Shadow IT creates not only cybersecurity risk but also non-compliance risk with GLBA, PCI-DSS, HIPAA or other requirements, depending on whether personally identifiable information (PII), payment card information (PCI) or protected health information (PHI) is involved with the use of Shadow IT. It can also lead to GDPR non-compliance and stiff monetary penalties.
Shadow IT that leads to a data breach can also create allegations of federal or state unfair or deceptive acts or practices (UDAP) law violation. In addition to federal UDAP, each state in the U.S. also has their own UDAP law. It can be alleged that failure to prevent and detect Shadow IT enabled the cyberattack and caused harm to consumers and consumers had no way to avoid the injury and what the organization said in the privacy policy about safeguarding the consumers information was false.
JS: How are hackers currently seeking to exploit Shadow IT at enterprises?
SH: Shadow IT provides another entry point into the network or cloud for the cyber attackers to exploit via vulnerabilities with the app, software or web services provider, with the employee being the unwitting “mule” that carries in the payload.
So while the organization may be spending a lot of money on cybersecurity and working very hard to prevent intrusion into the network or cloud, unwittingly the employee creates the bypass and pathway for the attackers, all under the radar of IT or security. It’s a battle that can’t be won without certain safeguards, preventive and detective controls.
JS: So, what should organizations do to manage Shadow IT risk?
SH: The first step is to acknowledge that Shadow IT is a cybersecurity risk that must be managed, regardless of type or size of the organization. Next is to implement certain safeguards and internal controls. You’ll need to craft a plain language policy that prohibits Shadow IT. Clearly explain Shadow IT, the risks it creates and provide concrete examples.
Also implement both Preventative and Detective internal security controls. Preventive controls blocks ad-hoc downloads of apps or software or access to certain web services, for example. Detective controls include performing regular scans to identify unauthorized apps, software or web services.
When it comes to changing employee behavior, it’s wise to use both the carrot and the stick. For instance, if an employee would like to use an app or web service and wants the organization to adopt it, provide an easy and quick means to request (such as a brief online form or email request with justification). If the organization authorizes and adopts, give the employee a carrot in the form of recognition and/or a reward, highlighting the benefits gained by using the new app.
At the same time, use the stick by communicating that any non-compliance will be grounds for suspension or termination of employment, then enforce compliance and communicate instances of non-compliance and consequences.
JS: Can employee training and a cybersecurity partner help in reducing Shadow IT risk?
SH: Absolutely, the answer is “Yes” to both. Ongoing training, done in concert with the right third-party partner, can significantly reduce shadow IT usage. You’ll then be in a better position both in terms of overall security risk and regulatory compliance.
Make sure to train every single employee on policy and controls so everyone clearly understands why the policy is essential, the risks and why each employee’s cooperation and compliance is critical to success. Train all new employees when on-boarding.
Finally, engage a third-party to perform regular Shadow IT audits to independently test compliance with policy, and assess the adequacy of preventive and detective controls, for prompt risk mitigation.
Unsure of what security and compliance risks Shadow IT is posing within your organization? Request a consultation with an RSI Security expert today.
To learn more about Sai Huda, visit his author website at: https://www.saihuda.com.
To purchase the best-seller, Next Level Cybersecurity: Detect The Signals, Stop The Hack, visit Amazon.