Shadow IT is the term that refers to IT used by staff within an organisation that isn’t provided by the organisation itself. Most staff will engage in some form of shadow IT, so as a business, how do you approach its use?
The best practice approach we would suggest is to look at where your data is going, and why it’s going there. We suggest allocating the SaaS applications being used to fall within the following categories:
● Sanctioned applications - provided by the business
● Tolerated applications - not provided by the business but needed to run operationally
● Unsanctioned applications - should not be used
Most organisations don’t adopt this approach.
They attempt to deal with shadow IT by simply blocking URLs. Don’t want your staff to use Dropbox? Block the URL. However there are thousands of other sharing applications available which makes it virtually impossible to just block URLs. Having visibility around what applications are being used gives you much more control, enabling you to decide internally how to deal with them. Is the application sanctioned? If the answer is yes, then it simply needs to be monitored. Is it unsanctioned? If yes, then they should be blocked and no user in the organisation should be able to access them.
In June this year, the popular file sharing service WeTransfer experienced an issue where documents passing through their service were sent to incorrect recipients… for 2 whole days. Despite WeTransfer then blocking the transfer links, there is a possibility that potentially confidential data could have been incorrectly shared.
This raises the question: if you don’t know where your data is, how do you protect it? How do you comply with GDPR? Bear in mind that if you experience a breach and data is stolen then the individual responsible may be liable according to the Computer Misuse Act, but ultimately it will be your organisation that receives the fine.
A good example of this is Morrisons. Andrew Skelton, an employee of the supermarket, stole the data of nearly 100,000 staff. This included their salary and bank details. Skelton was jailed for the offence but Morrisons were also held liable for the data breach. They are now heading to the Supreme Court to appeal the case. A similar fate was suffered by Ticketmaster in 2018 when data was breached with personal data and payment information stolen to engage in fraudulent activity. The ICO are also set to fine Ticketmaster for the breach.
It’s possible that more and more cases like this will emerge, as it’s unlikely that the volume of investigations will decrease in the future. In fact, with the hefty fines imposed by the ICO around GDPR, we can only assume that the additional funding they receive will be spent by them in some way, one of which could be by increasing their numbers of staff. This will then lead to further investigations - not just of the larger organisations but of smaller ones too. So more and more businesses may find they are under scrutiny, which will encompass not just their own sanctioned IT but their shadow IT too.
The bottom line is that if your security allows data to moved or hosted in unsanctioned and therefore unmonitored SaaS applications, you are severely increasing your risk of a successful data breach.
It’s time to adopt a zero trust policy. For any application that is tolerated, it’s important to keep a very close eye on it.