3 Steps to Managing Shadow IT Risk
The question isn’t “Does my organization have Shadow IT?” it’s “How much?” In 2020, Gartner estimated that a third of successful attacks experienced by enterprises will be on their shadow IT resources. Shadow IT refers to information technology (IT) projects that are managed outside of, and without the knowledge of, the IT department.
While Shadow IT is not a new problem, its exponentially growing in size. It’s estimated that 40% of all IT spending at a company occurs outside the IT department. This rapid growth is partly driven by the rapid adoption of cloud-based services and applications.
Shadow IT poses a problem for organizations in a variety of ways, but here are some of the most common challenges we see with customers:
- Applications are protected by weak or default credentials
- Storage is misconfigured, exposing confidential data
- Services are mistakenly exposed over the internet
In summary, Shadow IT presents unexpected change and unknown risks. Instead of viewing Shadow IT merely as a threat, we encourage our customers to embrace a mindset for proactively managing risk resulting from Shadow IT.
To help you get started on this path, we’ve outlined the following 3 Steps to Help you Regain Control of your Security Posture:
3 Steps to Managing Shadow IT Risk
1. Discover Your Unknowns
The first step is identifying the extent of your shadow risk. Did you know that the average enterprise business uses over 1,400 cloud services? This clearly can be a daunting task. We recommend starting by viewing your company like an attacker. If you were attacking your organization, what tactics, techniques, or procedures would you use? While this is something your IT team can manage in-house, having an outside perspective and professional guide you through this process has significant benefits. Learn more about some of the ways MacroNet could help you perform a Shadow IT risk audit here.
The goal of this first step is to discover you company’s attack surface, monitor for change, and compare findings against your existing security stack.
2. Prioritize Your Discovered Targets
Establish a prioritization framework with your team to guide you on where to take action. We recommend you use the common risk formula of likelihood x impact to help prioritize your targets by risk.
Likelihood should identify targets most likely to elicit action from an attacker. When determining likelihood, we suggest considering weakness, enumerability, and as your program matures, applicability and research potential.
Impact can be thought of as, if the software was compromised, how much closer is the attacker to your company’s most valuable data? Two factors to consider are criticality (or security boundary) and cost of compromise.
At this point, it’s time to take action. While it sounds simple, having a dedicated execution team can be beneficial and the most successful teams build this into a continuous process. Identify what items you will monitor and manage on a daily vs. weekly vs. monthly basis.
Our most important piece of advice is that this is not something you can simply fix and leave. It needs to be a proactive and continuous process in order to fully strengthen your IT posture.
Managing risk from Shadow IT can feel like a challenge, but you can measurably reduce your risk by automating the process and incorporating proactive elements that take some of the burden off your team. To learn more about building a Shadow IT Risk Management plan, use the link below to speak with a MacroNet Shadow IT Expert. We would be happy to help you quantify shadow IT risk and guide you in taking action.