How to Know When You Have a Shadow IT Problem & What to Do Next


You probably have a Shadow IT problem.
I’m not picking on you. According to statistics from Microsoft, Shadow IT is alive and well at most organizations:

  • The average enterprise uses more than 1,500 cloud apps
  • 88% of all cloud apps are not sanctioned by IT
  • 78GB of data is uploaded monthly to risky cloud apps by the average enterprise

This brief checklist is designed to help you identify four “perfect storm” factors that contribute to the use of unsanctioned IT services.
Why is this so important? Shadow IT leads to 33% of all cyber-attacks.

#1 – Legacy Servers

When a premise-based server is located in your office, where it functions as the official home base for corporate storage and file sharing, connection difficulties are inevitable.
Access may be relatively smooth for in-office employees logging into the local area network. However, employees located elsewhere will have to negotiate a VPN.
“Reliable” and “VPN” aren’t typically mentioned in the same sentence.
It doesn’t take long for this segment of your team to pursue alternate paths when they can’t get in. Common “off the reservation” vehicles include Yahoo Mail, Gmail, and DropBox.
For instance, an employee who is about to head home (and anticipates the VPN will be glitchy) may upload a sensitive Word document to their personal DropBox account to work on it later on their home computer.
And not get frustrated (for the tenth time) unsuccessfully attempting to log into the server back at the office.
Others in a similar position may email a document to their Yahoo account, download it to their home computer shortly thereafter, work on it throughout the evening, then send it back to their corporate email account (and work computer) to finish a few details the following day.
Why do both of these examples present a problem? Yahoo Mail and DropBox are significantly easier to breach than private, encrypted services. Once infiltrated, threat actors gain easy access to your server and everything else connected to it.
Learn More: Biggest Data Breaches Updated for 2021

#2 – Phishing Emails & Malware

Phishing emails are like rats. If you see a few, several dozen more rodents are hiding in the nooks and crannies, ready to rummage around the kitchen as soon as you hit the sack.
And if you have a steady stream of phishing emails, chances are some of your employees have already taken the bait (clicked on links, downloaded PDFs, or responded).
Now you probably have malware that is difficult to detect if you don’t have the right tools. Malware is elusive, and its administrators are very patient, sometimes waiting more than a year before launching a digital assault.
Malware ultimately leads to ransomware attacks that include but are not limited to blocked access to IT systems, data loss, remediation expense, bitcoin extortion plots, lawsuits, bad PR, and skyrocketing insurance rates or denial of coverage.
Learn More: The High Cost of Ransomware

#3 – User-Owned Mobile Devices & Workstations

Software designed for servers does not work very well on mobile devices. The second users figure this out, they can easily hit the Apple or Android app store and find a suitable workaround. The same is true of websites – both reputable and disreputable.
Two issues arise here: your employees are conducting business on software that sits outside of your sovereign digital estate, and their devices and apps will be intermingling with your corporate network.
Your IT staff or MSP don’t have visibility, and the door is wide open for widespread malfeasance. For instance, when someone charges their iPhone via one of the USB ports on their office workstation, viruses and malware are instantly injected into your network.
The same risks apply to personally owned computers that live at home or travel back and forth.
Remote workers and their laptops and desktops operate over unsecured home and business WiFi networks (Starbucks, Panera Bread, etc.). All are wide open and a lot easier to use than the annoying (but safer) VPN we covered in the first section.
A few trouble spots emerge here. Many people store passwords on spreadsheets located on their desktops. Bank statements and medical records too. This data is easy to grab and parlay into an oasis of other private information, myriad password-protected accounts, networks, and financial rewards.
I would even caution against allowing salespeople to give their personal cellphone numbers to clients and prospects. This effectively removes your main number and company-issued DIDs from relationships and creates an onramp for clients and prospects to follow salespeople who may jump ship.
Personal numbers also evade call recording capabilities that capture valuable marketing data and provide granular training insights.
You may spend a few years trying to cultivate a new client, and they could end up working with someone on your team – after they join a competitor’s team. Ask anyone in commercial real estate or financial planning about this.
Learn More: The Largest App Related Data Breaches

#4 – Younger Employees & Social Media

Today’s workforce skews younger (largely under forty), and social media is richly woven into their lives.
Both LinkedIn and Facebook are powerful platforms for connecting with clients. However, personal accounts (versus corporate ones) can siphon off valuable data better groomed and preserved in company-approved silos.
Even corporate-owned social media accounts can pose problems. Integris had a client with a consultant who was trying to open service tickets through our Facebook page.
(She wasn’t a registered user and obviously had not attended our new client tech support kick-off meeting.)
Her inquiry was trivial in nature and easy to address once we shifted the conversation to the proper channels. Thank goodness she didn’t use Facebook to request help for a more pressing matter and simultaneously broadcast easy to exploit IT weaknesses.
For example, a worst-case scenario announcement to the largest social network in the world might go like this: “Our office has just been flooded. Everybody has to work from home. We need a lot of new computers, and we can’t reach the server.”
Opportunistic attackers (but I repeat myself) would have a field day with this information and pile on without hesitation amidst the chaos.

What to Do Next

If you give your employees what they need, train them, and enforce policies, they won’t have to improvise. A simple survey of IT needs is a step in the right direction.
But a technical solution is the most effective long-term strategy. Do you want to maximize the benefits of business-class IT: security, availability, performance, confidentiality, and compliance?
I recommend you explore Cloud App Security Broker (CASB) from Microsoft with the assistance of your IT provider.
They will help you understand the nuances as well as manage the application on your behalf.
CASB fulfills the following roles:

  • Serves as a security guard to permit 24/7 access to cloud resources they need from any location, from any device
  • Monitors and controls user activities to identify unapproved apps and risks
  • Prevents the leakage of sensitive data
  • Blocks malicious actors
  • Maintains compliance and IT governance across multiple cloud services

Learn More: What is Cloud App Security?

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading