Shadow IT while always problematic for IT Departments has recently resurfaced as a real and present threat and risk to an organization and in particular, has become a focal area during FDIC examinations.    

So, what does Shadow IT mean?

Shadow IT (a.k.a., “unauthorized technology,” “unauthorized assets,” “unauthorized devices,” etc.) has created quite a name for itself in the new AIO booklet. With more than 40 mentions, the concept of shadow IT is one with pressing considerations for financial institutions. Each device used for business purposes (institution-owned or otherwise) is an entry point for vulnerabilities and, unless managed properly, can introduce significant risk to the organization.

The increased complexity of infrastructures, more cloud options than ever before, more outsourcing opportunities, more third-parties providing services, it’s no wonder this has become a hot topic. 

Top entry points for Shadow IT:

  • Third-party Software-as-a-Service (SaaS)
  • Public Cloud
  • On-premises Applications
  • Personal email accounts being used to conduct business
  • Unsanctioned Bring-Your-Own-Devices (BYOD)
  • Unauthorized IoT devices or rogue Wi-Fi
  • File Exchange (use of unapproved, insecure or ad hoc file exchange methods)

Who’s responsible for the risks involved from Shadow IT? 

IT and the Information Security team. 

Don’t wait until your next audit or exam to make sure you have the necessary controls in place. 

  1. Have a process to detect and prevent unknown or unapproved technology.
  2. Have an automated asset management tool to scan for unauthorized hardware, software and devices. 
  3. Monitor for all methods of transferring files to third parties, including e-mail, copying information to external media, or use of shadow IT, which may not be visible to network security controls.
  4. Conduct monitoring to ensure approved solutions are being used when needed to protect file exchanges, to avoid shadow IT solutions.
  5. Design systems to provide the capability to monitor and alert for the use of shadow IT.  Shadow IT uses entity resources and could provide unknown avenues for exploitation.
  6. Security awareness training should include the risks of shadow IT and the rationale for preventing its use. Shadow IT happens more frequently and more easily than you might think. 

Consider:

  • Business units to support their specific needs in contravention to the enterprise’s needs.
  • Third-party service providers to support services provided to the entity or to collect data for the service providers.
  • Individuals (internal or external) for convenience to allow them to use entity resources (e.g., wireless network) or for malicious purposes (e.g., to steal data or processing power).
  • Incomplete decommissioning process for legacy systems (e.g., business unit systems that were never decommissioned because of software compatibility limitations).

Risks to the organization from shadow IT:

  • Security weaknesses, data breaches, or data loss from using unapproved devices, software, or services.
  • Inability to maintain or update (e.g., apply patches to) unknown devices or software resulting in vulnerable devices or software.
  • Costs related to identifying, diagnosing, and mitigating security issues.
  • Inability to back up and recover unknown devices or software.
  • Unintentionally performing automatic backups of unapproved and possibly infected devices or software leading to the spread of malware.
  • Penalties for using software or services without a license.
  • Legal risks related to data use or data ownership (e.g., data residing on devices outside of the ownership or control of the entity).
  • Potential nullification of cyber insurance.

Summary:

The identification of shadow IT does not eliminate it. Shadow IT remains until management appropriately addresses it. While shadow IT should be addressed in a timely manner, there is a risk removing shadow IT could negatively affect a department process. The entity’s reputation, product and service delivery, and revenue stream could be affected if shadow IT is removed without an appropriate plan.

Management should consider how evolving technologies (e.g., cloud, IoT, and artificial intelligence [AI] and machine learning [ML]) can affect its systems’ design.

Management should establish IT governance practices and security controls along with consistent policies, standards, and procedures to mitigate risks of shadow IT.

IP Services has been providing cybersecurity solutions for decades.  We have deep understanding and experience with financial institutions and can provide solutions to help in the fight against cyber-attacks.