50% of UK organisations at risk of Shadow IT security threats

Shadow IT has a long list of associated problems, but chief among them is the additional security threat it represents

According to IBM, Shadow IT is any software, hardware or IT resource used on an enterprise network without the IT department’s approval and often without IT’s knowledge or oversight.

From the point of view of IT, applications are the jewel in the crown. Regardless of whether they are on-premise, hybrid, cloud, mainframe or locally delivered – applications are king. No work could be done without apps, so it’s not surprising that we encounter so many of them across the enterprise.

But the effectiveness of applications and the willingness to introduce new ones to deal with fresh challenges brings their own complexities in the form of management and security issues. In fact, research by Camwood reveals that 53% of CIOs and IT Directors are unable to confirm exactly how many applications were running on their estate.

This isn’t a great position to be in before any digital transformation and when cyber security threats are so prevalent, but there are ways to tame the IT estate and bring back order to the chaos.

Understanding the challenges and risks of Shadow IT

The problem of Shadow IT arises as organisations grow. Typically, as enterprises expand, the number of applications used across the estate also increases.

Even when companies have a robust application strategy, it is extremely common to have multiple application versions in production, along with various complex licensing agreements.

Much of this bloat falls under the banner of Shadow IT – that mysterious layer of technology that has crept into the organisation at a departmental level, or even at an individual level, but without the explicit oversight, approval or support of the IT department.

Every application expands the threat surface of an organisation

Shadow IT has a long list of associated problems, but chief among them is the additional security threat it represents. The fact is every application expands the threat surface of an organisation.

IT departments are aware of this and use tools and services to keep the applications under their control compliant with best practices and to prevent misconfigurations.

Even when the inevitable configuration drift occurs, responsible IT teams will ensure that everything is returned to its optimum state and that the organisation’s security posture remains hardened. But when applications and services aren’t being managed by experts, this may not be the case.

Protecting sensitive data from third parties

It takes a rigorous approach to IT and applications to apply the latest patches, examine anomaly detection and set appropriate access levels.

Added to this, these applications may not follow the same policies used elsewhere in the organisation to protect sensitive data, either at rest or in transit, and could potentially expose an organisation’s data to third parties.

The problem with errant IT can really boil over when it comes to change management. IT Departments can only check for issues that are under their control. Reconfiguring a core network router may disable an application that the finance department might very well rely on, but isn’t part of the recognized IT estate.

When incidents like this happen, IT departments end up chasing their tails, rapidly on-boarding critical applications that need attention, taking up valuable time and resources.

Another aspect to consider is the haphazard customer experience caused by this category of applications. As well as the unplanned downtime already mentioned, these apps are likely to be running on different versions, offering a different set of features and present compatibility issues.

How can organisations mitigate the risk of Shadow IT?

After recognising that undocumented applications and processes involve a risk to the organisation, the next logical step is introducing a plan to deal with the problem.

Fundamentally, the solution is to perform application life-cycle management from within the IT function. Often this task is either overlooked or not undertaken continuously.

While it’s generally accepted that a third of all cyber attacks are a result of vulnerabilities in Shadow IT, not managing the estate of applications that are under the control of the IT department represents just as much a risk as errant apps in other departments.

Central to the idea of application management is conducting an audit of the existing IT estate. It’s a valuable process because understanding what’s out there and rationalising the estate will harden security, reduce the volume of applications by 40% and typically reduce ongoing spending by 30%.

Conducting an audit of the existing IT estate could reduce ongoing spend by 30%

At a deeper level, applications need to be treated more strategically because IT departments must keep the enterprise secure, and applications with no clear ownership are most likely to present clear security risks.

In particular, ignoring the proliferation of unsupported applications creates problems later on when companies want to initiate digital acceleration programmes, impacting agility and harming growth.

Rigorous application management takes care of the complexity of software lifecycle management, including how the application operates, performance optimisation, maintenance, testing, version control and upgrade paths. Along with significant cost savings, application management delivers reduced downtime and an enhanced end-user experience.

Rationalise IT to reduce the risk

Given the increasing risk profile that Shadow IT involves both for security and for delaying business initiatives, organisations really should consider taking action to rationalise their IT estate.

Companies need to think about applications today by prioritising application management, to avoid security issues and spiralling costs tomorrow. After all, you can’t migrate what you don’t know, and you can’t modernise what you can’t quantify.

This piece was written and provided by Sanjay Tailor, Operations Director, at Camwood.