On 27 July 2023, the UK’s National Cyber Security Centre (NCSC) published a new guidance on what is collectively termed ‘Shadow IT’ to assist organisations in implementing appropriate risk management measures on ‘rogue devices and software’. The guidance helps organisations to pinpoint various types of activities that may be considered as ‘shadow IT’ within their business practices to ultimately reduce potentially dangerous levels; particularly identifying the unknown usage of various business assets, mitigating the risk of data leaks and potential harm to data.   

Shadow IT or ‘grey IT’ refers to “unknown assets that are used within an organisation for business purposes,” according to the NCSC. Such unknown assets are not detected by the organisation’s IT security department nor captured within its policy in risk management measures or systems due to lack of explicit IT approval of such assets. The result is potential vulnerability to data leakage, exfiltration of personal sensitive data, or malware. Examples of unknown assets are unapproved usage of third-party software: cloud-based file-sharing programs such as Google Drive, Dropbox, Zoom, and Skype, to mention a few. 

The rise of Shadow IT within organisations is attributed to several factors: remote working, collaboration (file-sharing cloud-based apps), usage of personal email to work on company documents with unsecured networks, shadow IoT (internet of things) – an extension of shadow IT. There is usually no malicious intent by users to cause ‘Shadow IT’ within an organisation. 

How can an organisation mitigate shadow IT?

The NCSC strongly recommends that organisations adopt effective cybersecurity measures to mitigate Shadow IT. Companies should acknowledge if their policies or processes cause employees to struggle to work efficiently. Employers should promote a culture where employees’ needs are met in situations where there may be issues with certain devices, tools, or programmes to assist in problem-solving. Adoption of adequate asset management systems are recommended to identify significant information about employees’ devices, location details, and installed software.. 

Organisations must strive to avoid unnecessary lockdowns of enterprise IT, e.g. unavailability of instant messaging platforms and prevention of cloud-based collaboration between employees. Furthermore, organisations are encouraged to provide a way for employees to gain quick and controlled access to tools and services outside of those that are normally available. 

Technical mitigations include, network access controls, UEM (Unified Endpoint Management), CASB (Cloud Access Security Brokers), network scanners, and asset management. 

As a B Corp Data Protection Office, HewardMills is devoted to assist clients to address internal data privacy concerns on business practices. Shadow IT is one of the important issues that HewardMills can help organisations to tackle head on to create effective data privacy culture.  

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.