Shadow IT Guidance

The UK NCSC has published guidance on identifying and controlling shadow or grey IT assets within corporations. Shadow IT refers to the use of unknown devices and technologies within an organisation.  The issue can be overcome by a thorough Mobile Device Management policy but this might not be feasible for smaller organisations and will always be difficult to effect where a degree of home working is involved.

Shadow IT not only covers devices such as phones but IoT elements including home routers, printers and WiFi access points.  These would be used to connect from home to the corporate network but will rarely be subject to the purchase scrutiny of the IT department.  The home worker is most likely to choose the most readily available solution or even the cheapest if costs are not re-imbursed.  The 2021 HP Wolf Security Report ‘Out of Sight and Out of Mind’ highlights that the majority of users who purchased WiFi devices did not consider security as a major consideration.  The report also quantifies home users who had bought devices to support home working: These figures are based on a sample of 8,443 respondents who had worked in offices but also spent some time working from home.

Device Global UK
PC or Laptop 29% 14%
Printer 16% 8%
Internet Router 15% 4%
Tablet or iPad 11% 5%

Printers  have been identified as a notable security risk not only due to any documents they might store locally.  As a networked device they could be accessed remotely and used as an access point to compromise a network.

The proposed UK Product Security and Telecommunications Infrastructure will place some security control on network connectable products.  In the USA a Cyber Trust Mark has been proposed to identify more secure devices although the standards this would impose have yet to be worked out.  For the present the onus is still on the purchaser to buy wisely.

Unregulated web services are another threat to organisations.  Cloud services are being used to share data, facilitate web conferencing or host third party tools.  A service such as OneDrive might be used to share corporate data between work and home.  As an easy to use and relatively large data store it is not unlikely that a user will also add personal files or might use the cloud to transfer sensitive information out of an organisation.  A web-based tool might offer some required business functionality such as the many services that convert PDF documents to editable text.  Such a service may be benign or could host malware or spyware which will at the very least clog up the target computer effecting productivity.

Although policies and device control could be used to completely outlaw shadow IT there are relatively straightforward means to mitigate its effect within an organisation.  The actual needs of users should be considered and solutions provided within the corporate environment.  The use of 3rd party services can be deduced from web logs or informal staff discussions.  If a particular service is required it would be best to source a reliable solution for use in-house. For example if working extensively with PDF files consider the options available from Adobe itself.  Penalising users for using unauthorised devices or services is probably counter productive as it will deter others from admitting to their use.  Having a robust cyber security culture that also allows employees to communicate freely about IT issues will facilitate identifying possible use of shadow devices and putting alternate solutions in place.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories