Shadow IT Guidance

The UK NCSC has published guidance on identifying and controlling shadow or grey IT assets within corporations. Shadow IT refers to the use of unknown devices and technologies within an organisation.  The issue can be overcome by a thorough Mobile Device Management policy but this might not be feasible for smaller organisations and will always be difficult to effect where a degree of home working is involved.

Shadow IT not only covers devices such as phones but IoT elements including home routers, printers and WiFi access points.  These would be used to connect from home to the corporate network but will rarely be subject to the purchase scrutiny of the IT department.  The home worker is most likely to choose the most readily available solution or even the cheapest if costs are not re-imbursed.  The 2021 HP Wolf Security Report ‘Out of Sight and Out of Mind’ highlights that the majority of users who purchased WiFi devices did not consider security as a major consideration.  The report also quantifies home users who had bought devices to support home working: These figures are based on a sample of 8,443 respondents who had worked in offices but also spent some time working from home.

Device Global UK
PC or Laptop 29% 14%
Printer 16% 8%
Internet Router 15% 4%
Tablet or iPad 11% 5%

Printers  have been identified as a notable security risk not only due to any documents they might store locally.  As a networked device they could be accessed remotely and used as an access point to compromise a network.

The proposed UK Product Security and Telecommunications Infrastructure will place some security control on network connectable products.  In the USA a Cyber Trust Mark has been proposed to identify more secure devices although the standards this would impose have yet to be worked out.  For the present the onus is still on the purchaser to buy wisely.

Unregulated web services are another threat to organisations.  Cloud services are being used to share data, facilitate web conferencing or host third party tools.  A service such as OneDrive might be used to share corporate data between work and home.  As an easy to use and relatively large data store it is not unlikely that a user will also add personal files or might use the cloud to transfer sensitive information out of an organisation.  A web-based tool might offer some required business functionality such as the many services that convert PDF documents to editable text.  Such a service may be benign or could host malware or spyware which will at the very least clog up the target computer effecting productivity.

Although policies and device control could be used to completely outlaw shadow IT there are relatively straightforward means to mitigate its effect within an organisation.  The actual needs of users should be considered and solutions provided within the corporate environment.  The use of 3rd party services can be deduced from web logs or informal staff discussions.  If a particular service is required it would be best to source a reliable solution for use in-house. For example if working extensively with PDF files consider the options available from Adobe itself.  Penalising users for using unauthorised devices or services is probably counter productive as it will deter others from admitting to their use.  Having a robust cyber security culture that also allows employees to communicate freely about IT issues will facilitate identifying possible use of shadow devices and putting alternate solutions in place.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus