Managed service providers face a growing range of information security and cybersecurity challenges — including ransomware, phishing, and remote worker security. However, shadow IT may soon become one of the most serious threats for MSPs.
Using IT systems, devices, and other resources without IT department permission can create significant risks for MSPs and their clients.
The right mitigation strategies can help MSPs identify shadow services on a business’s network, helping the company avoid vulnerabilities and prevent misuse of IT resources.
The Growing Risks Posed by Shadow IT Systems
Shadow IT is a broad term that may refer to any system that is not deployed or managed by a business’s information technology department or provider. These services are typically used by employees who want to work around perceived shortcomings or limitations in a company’s central information systems.
According to data from Cisco, around 80% of employees use non-sanctioned software and information systems. Additionally, 83% of IT staff admit to the same. Often, the use of shadow information technology is extensive, and just 8% of organizations claim to know the full extent of internal system usage.
Visibility is typically a significant challenge for enterprise IT providers. Shadow systems can make it even more difficult to identify and secure devices, services, and resources that make up the network. These systems can add significant risk to your network, with employees and device end-users as the weak link that hackers will exploit.
Shadow devices and technology can also create additional costs for businesses, introduce inconsistencies to workflows and processes, or make adopting new technology across an organization much more difficult.
These shadow systems can cause problems with existing information systems and hamper employee productivity. If a large number of workers are using unauthorized apps and services, it could be a sign that the business, or its MSP, isn’t providing them with the tools they need for daily work.
For this reason, IT providers typically look to limit or manage shadow systems. They monitor employee use of nonsanctioned services to reduce security risks and identify potential shortcomings.
Common Shadow IT Examples
The specific shadow IT examples an MSP will encounter can vary significantly from business to business, but many enterprises will see some of the same systems used by employees.
These systems can often seem innocuous — like third-party productivity apps or add-ons installed without IT provider approval — but may still put the enterprise’s network or cybersecurity strategy at risk. These are some of the most frequently seen shadow IT examples:
- Personal emails used to conduct business
- Unauthorized personal or BYOD devices
- Flash and USB hard drives
- Unauthorized third-party apps
Typically, these third-party apps include productivity, storage, and communication applications that facilitate work — like Skype, Dropbox, Trello, Asana, or similar tools.
Personal devices may include smartphones and laptops, as well as smart or IoT devices, like assistants, cameras, and wearables. Any item that connects to office Wi-Fi or the business network can create additional risk.
Enterprises and MSPs can only defend the services and devices they know exist. It can already be difficult to gain full visibility of the products a business uses intentionally, and personal shadow devices can make establishing network visibility much more challenging.
Shadow systems can also make security testing and configuration management much more difficult.
End-users of personal devices — like smartphones or IoT items connected to office Wi-Fi — may not regularly update their products or comply with industry regulations that a business needs to follow. It’s challenging to keep IoT devices secure and employees may not use best practices that will protect them from attack.
Managing the Shadow IT Problem
Businesses and managed service providers should take proactive steps to address the growth of shadow IT systems and prevent employees from connecting new devices or services to the company network.
MSPs wanting to manage shadow systems should continuously monitor the business network for applications and devices. An internal audit or review of currently used systems can help the provider identify possible problems and better understand the network.
Improved policies, procedures, and employee guidelines can help prevent the emergence of additional shadow systems. For example, a clear and straightforward BYOD policy can communicate to employees the devices they can and cannot use at work, as well as the steps they should take to use them safely.
Without one of these policies in place, employees may connect their personal devices to the network without realizing they’re contributing to the shadow system problem at their workplace.
What MSPs Can Do to Manage the Problem
Proactive MSPs can prevent shadow systems from making client networks less secure. Simple practices like network monitoring and audits, combined with clear security policies, can often help businesses reduce and control the emergence of shadow IT.
As the average number of personal devices per consumer rises and more SaaS productivity tools become available, shadow systems are likely to become an even more significant problem. Acting now will help MSPs manage existing systems and prepare for future challenges.