No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

How “Shadow IT” Puts a Business at Risk: 5 Hazards for GRC Professionals to Watch

Combatting IT Blind Spots Calls for a 'Defense-in-Depth' Approach

by Stu Sjouwerman
March 30, 2022
in Cybersecurity
shadow of hand on keyboard

Unauthorized use of unsecured business applications presents growing danger. So-called shadow IT presents GRC teams with the need to prevent end users from taking actions that while seemingly expedient, completely undermine otherwise robust cybersecurity and data protection measures. 

Let’s say your sales team spends a lot of time on conference calls. Their assigned enterprise application is clunky, disconnects frequently and the video keeps buffering. Out of frustration, they decide to use another tool they find more stable. The problem: The IT team is out of the loop, does not know of the software’s existence and therefore cannot manage its risks.

Shadow IT, the unauthorized use of software, applications or hardware, is an ongoing IT blind spot for many organizations. Moreover, the proliferation of software-as-a-service applications, the sudden rise of remote work and the ubiquity of smartphones significantly amplify the scale of the problem. In fact, for the second of half of 2021, industry analysts from CybelAngel report a 40 percent rise in shadow IT incidents. The result is an increase in cybersecurity loopholes that can lead to dire consequences for the business.

Left unchecked, shadow IT can lead to:

More Cyber Attacks and Breaches

The use of shadow IT significantly increases the threat surface because it is unregulated and unsanctioned by the business. Applications may have unpatched errors and vulnerabilities that can leave gaping holes in the security posture. Cyber criminals can use these weak spots to carry out surveillance, launch damaging attacks or steal sensitive information. Use of shadow IT by malicious insiders is also a major concern. For example, in the Coca-Cola trade secret theft case, an engineer leveraged Google Drive to facilitate the IP theft.

Absence of Control

It is impossible for IT teams to have visibility or control over company software and data that is outside their purview. This can create a major governance issue for IT teams, especially in an environment where there is an expanding list of rapidly evolving compliance mandates (e.g. GDPR, CCPA, etc.) forcing businesses to maintain tighter security standards.

Non-Compliance

Employees who use shadow IT put their organization at risk of not meeting compliance obligations. This can be particularly concerning in a situation where organizations are subject to stringent compliance laws that govern collection, storage, transmission and use of sensitive data. Organizations can face expensive lawsuits and run the risk of losing brand reputation, customer trust and competitive edge.

Loss of Data and Failure of Recovery

There is always the potential for businesses to lose sensitive data if it is stored in unregulated or unprotected locations. A simple example can be Google Drive or Dropbox, where an employee may choose to store contracts or customer lists or sales presentations. If that worker leaves the organization or terminates their personal cloud storage accounts, this data is lost permanently. Moreover, in the case of a cyber incident, the data is neither accessible nor backed up and may be impossible to recover.

Lack of Accountability

Instances of shadow IT in an organization signify a problem. It could mean that end users are not being given the IT resources they need to do their jobs, so they instead look to alternative tools. It might indicate a general lack of support from leadership or issues with line managers allowing their teams to work around mandated IT guidelines and policies. It could also mean the IT team has not clearly communicated the risks of shadow IT.

How Can Businesses Mitigate Risks of Shadow IT?

Overall, GRC professionals need to recognize the risks and causes then take steps to enact more effective IT controls. While shadow IT is nearly impossible to eliminate, risk and compliance teams can use a “defense-in-depth” approach to mitigate risks. Such an approach consists of three main elements:

  • Technical controls: Today’s solution marketplace offers an array of mature products that can detect the presence of unregulated hardware, software, and SaaS applications lurking on the network. While this toolset may not discover every incidence of shadow IT, it can go a long way to reducing the risk.
  • Policies and procedures: As there is a major lack of accountability surrounding shadow IT, policies and procedures help establish the right governance framework. GRC professionals should provide end users with an acceptable use policy (AUP) that clearly outlines the list of approved software and hardware along with what the organization will or won’t tolerate. Businesses must also highlight the process of seeking approval and what requesters can expect in terms of turnaround times.
  • Security awareness and education: Shadow IT starts with the employee, so it’s critical they understand the risks and impacts of their actions. This can only be achieved through security awareness exercises and regular training programs. The ultimate goal is for employees to realize how they themselves are a central piece in the security puzzle and why established controls need to be honored and respected.

Ultimately, organizations must recognize that, at the core, shadow IT is a cultural problem. For employees to embrace a security culture, leaders and end-users must engage in ongoing two-way dialogues. That is, end-users should communicate needs and expectations from the business in the same way that IT expresses potential risks.

Both groups need to come together to proactively understand what employees need plus identify opportunities for new technologies. If a company is experiencing chronic incidence of shadow IT, that’s a sure sign that certain tools and services may not be keeping up with existing and evolving end-user requirements.

 


Tags: Data Breach
Previous Post

The Leaked Affidavit: ZTE General Counsel Feared for His Life After Revealing Sanction-Dodging Scheme [Book Excerpt]

Next Post

LogicGate Risk Cloud Adds Black Kite Integration for Third-Party Risk Management

Stu Sjouwerman

Stu Sjouwerman

SjouwermanStu Sjouwerman is founder and CEO of KnowBe4 [NASDAQ: KNBE], developer of security awareness training and simulated phishing platforms, with 41,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at ssjouwerman@knowbe4.com.

Related Posts

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

checklist

5 Tips to Gain Compliance on Your Compliance Training

by Stu Sjouwerman
October 12, 2022

We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a...

data spillage

Instead of Crying Over Spilled Data, Shore up Your Governance Practices

by Rich Hale
October 12, 2022

The reputational damage and compliance failures that result from a data spillage incident are well-known, and as the volume of...

Analysis: Average Business Data Breach Costs $15M

Analysis: Average Business Data Breach Costs $15M

by Staff and Wire Reports
August 10, 2022

The average cost of a business data breach today is just over $15 million, according to a new analysis from...

Next Post
logicgate black kite integration

LogicGate Risk Cloud Adds Black Kite Integration for Third-Party Risk Management

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT