by Mendy Newman
Posted on March 14, 2023
Shadow IT – unauthorized apps, software, or IT resources used by employees for workplace tasks – poses risks for any company that is concerned about cybersecurity. For highly regulated industries, such as finance, those risks are particularly significant.
In regulated industries, there are specific restrictions and disclosure requirements for different types of communications with clients. For instance, when offering loans or investments, certain warnings must be clearly provided to ensure that customers are aware of financial risks. Internal communications as well as those with vendors may also be subject to regulations and standards.
To ensure compliance and reduce potential exposure to significant fines, business communication channels used in these industries are often monitored and archived to create audit trails. Business conversations conducted via personal emails or non-business versions of instant messenger apps like WhatsApp leave no trail – a feature that employees might exploit when trying to fly under the compliance radar.
Similarly, transferring data via systems that are not properly secured such as sending files via a personal Gmail account or uploading them to Dropbox to work on at home, can expose businesses to risks that sensitive information will not only be exposed but be at regulatory risk. Even a personal version of the same app used by a business, such as a user’s personal Microsoft OneDrive account, lacks the proper configuration and security controls since it is not under control of the corporate IT department.
In most cases, as in the early days of the pandemic, the motive for using shadow IT is nothing more nefarious than simple convenience. But still the dangers – both regulatory and cybersecurity – remain.
In recent months, several businesses in the financial services sector were each fined hundreds of millions of dollars when regulatory agencies found that employees had conducted business using unauthorized messaging apps and bypassing procedures required for regulatory compliance.
Shadow IT proliferated during the pandemic-driven move to work-from-home and has continued in its wake. IT staffs were overwhelmed by meeting the sudden demands for enabling remote work, and employees found many company-provided solutions inconvenient or difficult to use. Taking the initiative, many workers came up with unauthorized workarounds that made their lives easier – but that also exposed their employers to cyberthreats as well as potential penalties from regulators.
The list of common productivity tools that employees may use without authorization is long and includes messaging apps such as WhatsApp, Telegram, Viber, and Messenger; cloud storage such as DropBox, Google Drive, and iCloud. Apps like Microsoft OneDrive and Google Drive are “shadow IT” when employees use their personal accounts, even if the same solutions are used by their workplace.
The risks from shadow IT are significant, in terms of cyberattacks as well as compliance. In addition to the direct costs, which may include ransoms paid, recovery costs and business lost during shutdowns, there is harm to the company’s reputation and penalties if the company is found to have violated legal requirements to protect customer data. With laws that require the protection of all personally identifiable information (PII), such as the General Data Protection Regulation (GDPR) in the European Union, even companies that are not subject to strict industry regulation are potentially exposed to regulatory penalties in the event of a data breach.
For organizations in highly regulated industries, the considerations differ somewhat. Messaging apps such as WhatsApp or Telegram, for instance, pose minimal risk of data loss when used for communications between coworkers. After all, most messaging apps are end-to-end encrypted (E2EE). Rather, the concern is with monitoring communications for regulatory compliance and recording it for audit trails.
Shadow IT can also take the form of employees using personal devices for company business when policies require all business to be done on company devices. Having company data on personal devices introduces hacking risk as well as physical loss risk.
One reason remote workers might turn to shadow IT is for convenience – or rather, to avoid the inconvenience associated with too many business cybersecurity controls, especially those required when working from home. Providing a secure and compliant solution that is easy-to-use even from users’ personal, unmanaged devices can eliminate the temptation to bypass non-compliant solutions. Restricting access to be only via that secure and compliant solution is even better.
A secure, clientless access solution such as ZTEdge Desktop can provide an easy way for remote users to access server-based IT assets without having any actual data on their remote devices. When work is conducted through a secure portal in this way, the IT staff has visibility into everything that employees do.
ZTEdge Web Application Isolation goes beyond remote access to enable secure, cloud-delivered access to business collaboration and productivity platforms like Microsoft 365, Salesforce and Zoom even from unmanaged/BYOD devices. This clientless Zero Trust Network Access (ZTNA) solution enables policy-based control of what resources users can access and what actions they can take. Crucially, it restricts browser-based activity such as uploading and downloading data and copy, paste and print functions to prevent data exfiltration to Shadow IT.
In addition, if downloads or uploads are permitted by IT and security teams, they can set policies to ensure file transfers are scanned by tools like DLP and CDR to prevent data loss and eliminate cyber threats. Finally, by enabling access solely through the Ericom Global Cloud, organizations can eliminate the risk of criminals accessing their apps and data via stolen credentials.
Yesterday’s cybersecurity solutions were not designed for today’s brave new world in which employees can access their companies’ digital assets, regardless of whether they’re on company servers, in the cloud or on web apps, from anywhere and from any device. The ZTEdge SSE Platform is designed from the ground up to provide the flexible cybersecurity controls organizations need in today’s complex hybrid work environment.
Using black hat SEO to achieve high rankings for particular search terms, threat actors can sit back as victims flock to their malware-infected websites.
As one of the keys to implementing least-privilege access, microsegmentation is an essential element in the Zero Trust toolbox.
In this post, we update the layered security concept for the age of Zero Trust, cloud computing, application-based work and work-from-anywhere.