3 Ways to Reduce Shadow IT

Last Update: Sep 20, 2024 | Published: Sep 09, 2024

microsoft security hero approved

SHARE ARTICLE

In this article, I look at three easy ways to help prevent shadow IT becoming a problem in your business.

Shadow IT isn’t a new problem facing IT departments. But with the explosion in remote working, cloud Software-as-a-Service (SaaS) solutions, and generative AI it’s become harder than ever to mitigate the risks.

What are the risks of Shadow IT?

Shadow IT, as the name suggests, is the practice of employees using software that hasn’t been officially sanctioned by the business. It poses several challenges to IT departments and risks to the business. Discovering and controlling use of shadow IT can be difficult for IT departments. And businesses face several risks such as:

  • data loss
  • data breaches
  • unauthorized access to data
  • compliance issues
  • reputational damage
  • and much more.

Shadow IT can even extend to unauthorized hardware use. But the biggest challenge is how to control use of unsanctioned apps and software. Here are three ways you can quickly get a handle on the risks of shadow IT.

1. Discover shadow IT in your organization

You don’t know what you don’t know, right? The first step to mitigating the risk of shadow IT is to make sure you can monitor what software and apps employees are using. It’s important to remember that you have to go beyond auditing apps that are installed on end-user devices. Employees could be using cloud services that aren’t officially sanctioned by the business and many endpoint auditing solutions aren’t able to detect software use beyond what’s installed on devices.

The navigation path in the Microsoft Defender portal for reducing unauthorized SaaS apps and reducing shadow IT
The navigation path in the Microsoft Defender portal (Image Credit: Microsoft)

Organizations need to take a two-prong approach to discovering the software in use across the business.

  • Traditional endpoint management solutions can generate reports on software installed locally on devices. Microsoft Intune discovered apps can detect the software installed on devices that are enrolled with the service. On-premises solutions, like Microsoft Endpoint Manager (previously Microsoft System Center Configuration Manager), can also generate reports on software installed on managed endpoints.
  • A different approach needs to be taken to detect SaaS. Microsoft Defender for Cloud Apps analyzes traffic logs and matches the information against a database of over 31,000 known cloud applications. It can then categorize the results and rank the discovered apps based on 90 risk factors.

Nudge Security takes a unique approach by monitoring incoming emails. If an email looks like a cloud service registration, Nudge Security adds the relevant information to the inventory of SaaS and cloud apps.

Microsoft Copilot and other generative AI solutions, like ChatGPT, also pose threats. Users could share sensitive business information with unsanctioned services. Considering the risks of early adoption of AI services, organizations must ensure that they are able to control how information is used and mitigate some of the security risks that have been identified with generative AI.

Nudge LPHero PRE2.jpg

Join Petri.com and Garrett Gross, Head of Product Success at Nudge Security, September 19th for a webinar on ‘Why SaaS Sprawl and GenAI Require New Approaches to IT Governance’. Register now to watch live or on-demand to make sure shadow IT doesn’t pose a risk to your organization.

2. Provide quick and easy access to the right tools

Giving users the right tools to get their jobs done is a good way to ensure they are less likely to circumvent IT policy. If you make things difficult for people, they find ways around it and software is no different.

Encourage teams to undertake regular reviews and score how satisfied end users are with the software they use. This process can also unearth use of unsanctioned software and you can establish why they have been compelled to find alternative solutions to those officially made available to them.

Don’t let users wait days or weeks to get access to the apps they need. Make sure your organization has processes in place to on board new users quickly and to provide the software and access required for new and existing employees.

3. Create a policy that explains the risk of Shadow IT

You don’t know what you don’t know – and people don’t know what they don’t know. It’s an IT department’s responsibility to spell out to the organization and end users why using unsanctioned software and services poses a risk to the business.

When writing an IT policy on shadow IT, explain that the policy exists to protect the business and its data; and not to simply restrict access to apps and services that might otherwise be beneficial. Offer a process for departments and employees to suggest officially adopting new software and hardware.

Blocking tools without engaging in discussions can lead to resentment

With the right tools and policies in place, organizations can manage the risk shadow IT poses. Remember that simply blocking tools without engaging in discussions can lead to resentment. IT departments should be aware of the software in use across the business and also be prepared to adapt to changing needs as users discover new and better ways of doing business, leading to new efficiencies and growth while at the same time minimizing risk.

SHARE ARTICLE