Shadow IT Guidance

The UK NCSC has published guidance on identifying and controlling shadow or grey IT assets within corporations. Shadow IT refers to the use of unknown devices and technologies within an organisation.  The issue can be overcome by a thorough Mobile Device Management policy but this might not be feasible for smaller organisations and will always be difficult to effect where a degree of home working is involved.

Shadow IT not only covers devices such as phones but IoT elements including home routers, printers and WiFi access points.  These would be used to connect from home to the corporate network but will rarely be subject to the purchase scrutiny of the IT department.  The home worker is most likely to choose the most readily available solution or even the cheapest if costs are not re-imbursed.  The 2021 HP Wolf Security Report ‘Out of Sight and Out of Mind’ highlights that the majority of users who purchased WiFi devices did not consider security as a major consideration.  The report also quantifies home users who had bought devices to support home working: These figures are based on a sample of 8,443 respondents who had worked in offices but also spent some time working from home.

Device Global UK
PC or Laptop 29% 14%
Printer 16% 8%
Internet Router 15% 4%
Tablet or iPad 11% 5%

Printers  have been identified as a notable security risk not only due to any documents they might store locally.  As a networked device they could be accessed remotely and used as an access point to compromise a network.

The proposed UK Product Security and Telecommunications Infrastructure will place some security control on network connectable products.  In the USA a Cyber Trust Mark has been proposed to identify more secure devices although the standards this would impose have yet to be worked out.  For the present the onus is still on the purchaser to buy wisely.

Unregulated web services are another threat to organisations.  Cloud services are being used to share data, facilitate web conferencing or host third party tools.  A service such as OneDrive might be used to share corporate data between work and home.  As an easy to use and relatively large data store it is not unlikely that a user will also add personal files or might use the cloud to transfer sensitive information out of an organisation.  A web-based tool might offer some required business functionality such as the many services that convert PDF documents to editable text.  Such a service may be benign or could host malware or spyware which will at the very least clog up the target computer effecting productivity.

Although policies and device control could be used to completely outlaw shadow IT there are relatively straightforward means to mitigate its effect within an organisation.  The actual needs of users should be considered and solutions provided within the corporate environment.  The use of 3rd party services can be deduced from web logs or informal staff discussions.  If a particular service is required it would be best to source a reliable solution for use in-house. For example if working extensively with PDF files consider the options available from Adobe itself.  Penalising users for using unauthorised devices or services is probably counter productive as it will deter others from admitting to their use.  Having a robust cyber security culture that also allows employees to communicate freely about IT issues will facilitate identifying possible use of shadow devices and putting alternate solutions in place.

More from Security

06/01/2025

Scam Promotions on Facebook

Web adverts promoting questionable offers and schemes are old hat.  Facebook is no exception but unlike wholly dubious hosts or otherwise reliable sites depending …

Read post

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories