An Examination of Shadow IT

Today’s Shadow IT and the Introduction of Shadow Data

The umbrella of Shadow IT has expanded from the term’s conventional uses from the late 1990s to the late 2000s. Today, Shadow IT, sometimes referred to as “Stealth IT”, now encompasses the use of cloud-based storage, collaboration, and productivity services, in addition to conventional software- and hardware-based vectors (Christopher, 2016). The prevalence of “SaaS”, or software-as-a-service, solutions has expanded the threat presented by Shadow IT from conventional vulnerabilities in an organization’s network to include where and how data are stored (Christopher, 2016).

This new, widespread threat to firms that has arisen from the use of both rogue and approved SaaS systems has been dubbed “Shadow Data” (Betts, 2016; Thomchick, 2017). Broadly defined, Shadow Data “includes all the sensitive content that users upload, store and share via the cloud, whether they use shadow IT or permitted apps” (Betts, 2016). It is important to note that even centrally operated and properly configured services such as Box.com or Office 365 can expose firms to compliance and data governance liabilities (Betts, 2016). As revealed by a recent IBM survey, “one third of Fortune 1000 employees are regularly saving and sharing company data to external cloud-based platforms” (Computerworld, as cited in Silic, et al., 2017).

At least one element of today’s Shadow IT has remained in line with previous years’ trends: spending. An estimated 35% of the average enterprise’s IT expenditure is used for Shadow IT purchases, which is up from 10% in the late 1990s and 30% in the early 2000s (Gartner, 2015 as cited in Meyer, 2015; Pisello, 2004). In addition to increased levels of spending, some surveys have shown that firms’ central IT departments “control less than 50% of corporate technology expenditures” (PwC, as cited in Silic et al., 2014).

Many firms may still lack information about these software purchases and SaaS subscriptions as employees and departments within departments bypass traditional procurement processes and instead use corporate or personal credit cards for purchases (Christopher, 2016). The consumerization of IT may be one reason that cloud-based Shadow IT has grown in prevalence (Walters, 2013).

Despite the inclusion of SaaS offerings and threats presented by Shadow Data, the use of shadow hardware still persists within enterprises as it did in the terms early use. The “bring your own device”, or “BYOD” trend was hotly debated in 2012 and 2013, and remains an ongoing trend in 2017 (Walters, 2013; Collet, 2017). “Almost half of information workers today are using bring-your-own laptops, 68 percent are using their own smart phones, and 69 percent are bringing their own tablets at work” (Forrester, 2017, as cited in Collet, 2017). If a firm does not exercise controls over its employees’ personal devices, which may present legal challenges, then the threat of conventional rogue software use as well as vulnerable devices grows (Walters, 2013).

Modern-day Shadow IT and accompanying Shadow Data can present a great amount of risks to organizations. During the first quarter of 2017, McAfee Labs detected more than 1.5 million incidents of mobile malware (McAfee, as cited in Collet, 2017). The probability of mobile devices being vulnerable to malware, software exploits, and data interception is especially great because “security is still not a top priority in app design, with some apps allowing users to store or pass credentials in the clear or by using weak encryption” (Collet, 2017).

As exemplified by the spread of Pegasus spyware and its variants, many iOS and Android mobile devices are susceptible to mobile spyware that can be used to exfiltrate stored data, obtain access to enterprise networks, capture users’ credentials, and activate voice recording and GPS tracking (Collet, 2017). In addition to stealing data and accessing networks, compromised mobile devices can be used to generate fraudulent ad revenue for bad actors, which could have negative consequences on corporate networks (Collet, 2017).

The risks presented by Shadow Data stored in both Shadow IT and legitimate systems can also present serious risks to organizations (Betts, 2016; Thomchick, 2017). A 2017 Symantec report showed that enterprises broadly shared 20% of all files in cloud-based storage applications, and 29% of emails in cloud apps (Thomchick, 2017). “To be classified as ‘broadly shared’, a file must be shared with the entire organization, an external third party, or publicly with anyone who has a link to the file” (Thomchick, 2017). According to the same Symantec report, 9% of broadly shared emails contained some kind of sensitive or confidential content; of those emails, 64% contained PII, 9% contained ePHI, and 27% contained payment card data (Thomchick, 2017).

Repositories for Shadow Data can include a number of systems besides email and online storage platforms; CRM (customer relationship management) platforms, EMR (electronic medical record) systems, student information systems, and coding or development platforms all have cloud-based versions that store sensitive data (Betts, 2016). A 2016 report by cloud security firm Elastica examined data use under this expanded definition (Betts, 2016). The report showed that 25% of the 63 million documents stored by the firm’s clients were broadly shared; 12.5% of those broadly shared documents “contained sensitive or compliance-related data” (Andrews, as cited in Betts, 2016). Additionally, more than 23% of all documents covered in the report’s scope were shared publicly and accessible by anyone with the appropriate link, which could be obtained via automated web crawlers or Google searches (Andrews, as cited in Betts, 2016). It should be noted that all companies in the sample examined in the Elastica report had at least taken the step to engage with a cloud security firm; the overall scope of broadly shared Shadow Data may be greater if other firms that did not employ the use of cloud security consultants were to be examined.

Data breaches, exfiltration, and inadvertent or over sharing can have serious consequences for organizations. In incidents where data governed by laws such as HIPAA, fines alone can greatly affect revenues. “A New York-based hospital recently lost $4.8 million for HIPAA violations after the electronic protected health information of 6800 patients appeared on the Internet due to Shadow IT usage by a hospital employee” (McCann, 2014, as cited in Silic et al., 2017). International laws and regulations will soon have the potential to affect business, even if they do not operate in those countries. In May, 2018, a new information security framework from the European Union called General Data Protection Regulations, or the GDPR, will take effect (Burgess, 2017). The regulations pertain to how organizations collect, store, and handle information about EU citizens throughout the data lifecycle, with broad provisions for enforcement for violations (Burgess, 2017). In essence, the enforcement provisions allow for an international jurisdiction for enforcing the policy, and could result in “fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater)” (Burgess, 2017). While the GDPR still has yet to take effect and no legal precedents for these specific fines have been established, this law underscores the threat of Shadow Data can present to firms if improperly handled.

In addition to fines, reputational losses can greatly impact businesses. For example, Target’s 2014 Q4 net earnings were down 46% from the same time the previous year after news of its payment card data disclosure incident broke (Harris, 2014). For smaller businesses, cyber attacks can present existential threats (Miller, 2016). After experiencing incidents such as ransomware or data breaches, 60% of small companies are unable to sustain business over the following six months as they face difficulties restoring data, recovering from reputational losses, and settling legal problems (Miller, 2016). The use of Shadow IT and platforms housing Shadow Data can increase the likelihood of such business-ending incidents (Noyes, 2007; Silic, et al., 2013; Christopher, 2016).

Shadow Data, driven by Shadow IT acquisitions, can make lawsuits and investigations more complicated and costlier. A joint ReREz/Symantec report from 2013 showed that 34% of businesses surveyed had at some point been requested to produce electronically stored information; of those that received requests for information, 41% were unable to comply because they were unable to retrieve the necessary data (Walters, 2013). As a growing number of employees use multiple devices to conduct businesses, capturing data such as browser history can become more challenging, especially if a firm’s policies allow the use of BYOD practices (Walters, 2013).

What Causes Shadow IT in Organizations?

Many organizations have policies regarding the use and procurement of software and services (Silic, et al., 2017). Despite these policies, Shadow IT, both in conventional software and SaaS-based forms, is prevalent throughout most organizations across all sectors and can present threats to firms and their data (Silic, et al, 2017; Noyes, 2007; Walters, 2013). In order to mitigate this threat, it is important to understand the reasons why Shadow IT exists in firms.

Since the term’s inception, Shadow IT has been the result of unmet needs of non-IT business units that made a trade-off of long-term integration costs for short-term productivity gains (Pisello, 2004). Once individuals or departments choose to use Shadow IT applications, their use can quickly expand. “The ‘viral effect’ is important for greynet software as its popularity amongst employees is strongly linked to the network effects” (Anderson and Moore, 2006, as cited in Silic et al., 2014).

In a 2017 study seeking to explain why individuals within organizations violate policies surrounding Shadow IT software and services, Silic et al. examined the effects of neutralization theory and deterrence theory on end-user behavior. In the context of behavior, neutralization refers to “rationalizing or justifying an immoral or illegal act,” and suggests that “those who commit illegal or illegitimate actions may ‘neutralize’ certain values which, in other situations, would prohibit them from committing these same actions” (G. Sykes & Matza, as cited in Silic et al., 2017). Similarly, deterrence theory proposes that “undesirable behavior can be deterred not only by formal sanctions, but also by informal sanctions and shame” (Silic et al., 2017). Five types or techniques of neutralization were referenced by Silic et al. in the study: “In original work on neutralization theory, Skykes and Matza explained five types of neutralization: (1) denial of responsibility (person defines him/herself as lacking responsibility); (2) denial of injury (minimizes the action and the harm it can cause); (3) denial of the victim (offender believes that the victim deserved whatever action the offender committed); (4) condemnation of the condemners (one’s behavior is neutralized by blaming the targets of the action); and (5) appeal to higher loyalties (the benefit of violation is superior to the cost of violating a law or policy). (Skykes and Matza, 1957, as cited in Silic et al., 2017)

The “denial of responsibility” neutralization technique was found by previous studies to be significantly correlated with both the intent to violate polices about the use of computers, and the belief that this behavior was acceptable (Harrington, 1996, as cited in Silic et al., 2016). In the 2017 study by Silic et al., the researchers suggested that different neutralization techniques may be used to rationalize different kinds of behaviors (Silic et al., 2017). For example, the techniques used to justify the purposeful theft or destruction of data may be different than the techniques used to rationalize the use of unapproved software. “Metaphor of the ledger”, a sixth neutralization technique identified in the report, is the rationalization of taking an action by weighing the potential harm it may cause with the benefits received (Silic et al., 2017).

To explore the effects of neutralization and deterrence, the researchers conducted surveys of end users at several large organizations from varied industries (Silic, et al., 2017). These responses were then with actions taken by respondents and their employers’ information security policies (Silic, et al., 2017). The study resulted in two key findings for practitioners. First, “the ‘metaphor of the ledger’ technique is particularly salient for employees considering using Shadow IT in violation of organizational security policies” (Silic et al., 2017). The “metaphor of the ledger” technique may have been a primary driver of decision makers in the late 1990s as Shadow IT first began to appear within organizations, and could explain the rapid rise of firms’ overall spending on Shadow IT (Pisello, 2004; Silic et al., 2017).

The second major finding of the study was that “neutralization has similar effects on intentions and behavior,” which “strengthens the validity of previous research that only measured intentions without measuring actual violations of security policies” (Silic et al., 2017). For practitioners and organizations seeking to mitigate the use of Shadow IT and its associated risks, this finding is important because it can, among other things, help shape policy development and security awareness training curricula.

Risk Mitigation Strategies for Shadow IT

Shadow IT, and subsequently Shadow Data, clearly presents a number of risks to organizations. While risk can usually never be entirely removed from an organization, it can be mitigated. The following risk mitigation strategies are primarily geared toward firms operating in the United States. Laws in other jurisdictions may affect whether some risk mitigation techniques may be implemented, and culture of organizations and the area in which they operate may affect how risk should be addressed with employees and other stakeholders.

Thoughts?