Shadow IT: A Growing Global Threat

Shadow IT is widely recognized in the U.S. as a growing security concern, but does the same hold true in other countries? The short answer is yes. According to research from Tenable Network Security, more than half of IT decision makers in UK and German organisations acknowledge shadow IT as a major problem, and the majority of respondents (88%) feel shadow IT makes them more vulnerable to cyberattacks.

Shadow IT is a major problem

The report, State of Security Survey Results, conducted by Vanson Bourne on behalf of Tenable, surveyed 400 IT security decision makers in Germany and the UK across all sectors including healthcare, financial services, government and energy to better understand global trends in cybersecurity and the pain points associated with shadow IT.

Widespread use of shadow IT

Based on the survey results, 55% of UK respondents and 57% of German respondents report shadow IT has been introduced into their organisations’ environments. And 38% of UK respondents and 50% of German respondents expect the use of shadow IT in their organisations to increase in the next year.

Of the organisations currently affected by shadow IT, 65% of German IT decision makers report the use of unknown or shadow assets and applications has directly led to a cyberattack within the last 12 months, compared to 45% in the UK.

The most likely departments to deploy shadow IT are engineering, design/R&D and finance

Over half (56%) of respondents say that there are departments in their organisation that have started their own IT projects without the IT department’s support. The most likely departments to deploy shadow IT within German and UK organisations are engineering (30%), design/R&D (27%) and finance (25%).

Distrust from the IT department

Because the presence of unknown or undiscovered assets makes it difficult for security teams to identify and manage the available attack surface, there has been growing distrust from the IT department.

In fact, respondents believe that products and services such as devices for employees to use for work purposes (BYOD) (48%), IT security software/hardware (45%), and servers/other infrastructure hardware (42%) pose a significant security risk to their organisation when used or purchased without the support of the IT department.

Although many IT decision makers are feeling the pains of shadow IT in their organisations, the answer isn’t to restrict access.

One of the biggest reasons people turn to Dropbox for file sharing, Gmail for email or AWS for infrastructure without working with IT is because these services enable them to do their jobs more efficiently and effectively. Blocking certain cloud applications or shadow assets may help eliminate the technology problem, but it won’t solve the business problem.

Embracing the technology

Instead of placing a black mark on shadow IT, security departments should embrace the fact that employees will continue to use these popular services, and implement a security program that enables IT and the business to focus on the overarching goals and encourage innovation.

Good security starts with great visibility. Before any control is put in place, the issues have to be quantified and the risks identified. Tenable gives the IT security team the visibility needed to identify weaknesses on the network and adopt the best approach, whether it be developing a more robust security policy, offering user education or implementing additional controls that lessen the probability of a cyberthreat.

Good security starts with great visibility

For more information on how Tenable provides organisations with the continuous visibility and critical context necessary to effectively protect the network and secure their assets, check out the Unknown and Shadow Assets solution story.

Thanks to Nicole Cieslak for her assistance with this blog.