Mitigate Shadow IT Risk Internally and with Third Parties

Shadow IT, or technology that’s used without being documented or vetted by cybersecurity personnel, poses a serious risk to both the organizations that use it and their customers. When used internally, shadow IT potentially exposes your systems and assets to the kinds of risks that would typically be caught and managed by your cybersecurity team, meaning a breach or risk event could occur without the proper actions and disclosures taking place. When your third parties use shadow IT, they make it difficult for your procurement team to accurately gauge the risk you’re onboarding when you do business with them—after all, if a piece of technology goes undocumented, then it’s not going to show up on your vendor assessment questionnaires. Luckily, there are steps you can take to mitigate Shadow IT risk both internally and at the vendor level. 

First, your executive leadership must commit to putting policies, procedures and controls in place to vet technology before it goes into use. This means restricting who can install or purchase software and putting up gates before the purchase takes place, like instituting a policy that prevents the finance team from approving spend before it’s gone through Security and Legal reviews. Additionally, you may decide to put alerts in place to notify your IT team when new software is installed and to audit company machines and ensure compliance. Finally, you’ll want to implement restrictions on the use of cloud-based software based on reputation. 

Once you’ve instituted the correct policies to protect your systems and assets, you must take measures to alert all employees and users of the steps you’ve taken. You may decide it’s worth taking the time to institute training, either in-person or online, that outlines each of the controls you’ve put in place and the purpose that they serve. Otherwise, it may be best to communicate with the leadership of each business unit and allow them to discuss with their employees. What’s important is that the people involved with your organization understand the cost of using Shadow IT and the steps that they must take to document and approve software purchases. 

Shadow IT isn’t only a threat within the organization, though, and that is why Security and Legal reviews are such an essential facet of the vendor onboarding process. If internal shadow IT protections involve implementing new policies and controls, then protecting against shadow IT at the vendor level means taking advantage of the onboarding process to ensure that your vendors have matching controls in place. Obviously, the scope of your audit will depend on the risk the organization represents and the data that they have access to, but it’s crucial that you understand their security policies. Because shadow IT doesn’t show up in documentation, you must vet potential third parties for the appropriate protections. 

It can be difficult to keep track of the risk that faces your organization, both from inside and out. ProcessUnity for Cybersecurity Risk Management simplifies risk data collection and controls attestation throughout your organization, providing a single view of cybersecurity posture. The platform transforms how you manage cyber risk with automated control mapping, configurable assessment workflows and real-time reporting.