What you do not know certainly can hurt you. IT professionals can only protect machines they know exist. That is step one in IT security.
You cannot protect machines and the networks they run on unless you know exactly what is on those machines. Understanding what software is installed is step two.
If you run a shop with tight controls on user privileges, you may have less unauthorized software to worry about, but many problematic Shadow IT apps can still be installed or run. At the same time, not all end users are on lockdown, particularly managers, executives and those in IT themselves. They have free reign to load software that offers an attack surface.
This Shadow IT undercurrent creates huge problems. In some cases, cloud-based applications are a vector for malware. Cloud apps, such as Dropbox and other file sharing systems, are a source of data leakage, often performed through credential cracking.
The Rise of Shadow IT
Shadow IT rose much like the birth of the PC as a business tool decades ago. Users and departments took it upon themselves to buy and deploy these devices to get work done – bypassing the IT chain of command.
The same thing is happening with applications today. The freedom of the PC has gotten users used to choosing their own software, and so they download what they need whether on an approved list or not.
Cloud services are making matters worse. While many apps, such as Office 365 and Salesforce, are IT-approved and licensed, more and more cloud apps are running under the nose of IT. Yet IT is still charged with protecting the entire network.
Much Shadow IT actually comes out of corporate budgets – just not from IT funds. Gartner studies show that Shadow IT is 30 percent to 40 percent of IT spending in large enterprises, and research by Everest Group found that money spent outside of IT budgets on IT makes up more than half of all IT spending. Further, ServerCentral projects that 90 percent of IT spending will occur outside of the IT organization within the next decade.
It is no surprise that Shadow IT is this prevalent, as the applications are compelling, and either free or easy to buy online.
Meanwhile, many in IT simply shut down user privileges, leaving admin rights to a chosen few. But this can needlessly hobble, and sometimes force workers to go around these controls. And many cloud apps can be used without any admin privileges anyway.
A Better Way Forward
Rather than completely curtail what software your workers can use, a better approach is to know what software exists, such as through asset inventories, and manage these applications by keeping them patched and updated.
Unfortunately, most IT shops ignore the problem. In fact, a mere two-thirds of businesses focus at all on managing third-party applications, the 2018 Kaseya MSP Benchmark Survey Results Report found.
The Software Management Answer
Software management, which goes far beyond patching approved applications, can take rogue software out of the shadows. This approach makes sure that all operating systems and third-party applications are up to date, and therefore as secure as possible. Part of this is scanning your network and endpoints to discover and inventory all applications, and where they reside.
How to Protect Against Shadow IT
VSA by Kaseya reduces the dangers Shadow IT poses by tracking and then updating and patching all third-party applications. To learn more, download our eBook, How to Avoid Being Spooked by Shadow IT or check out our on-demand webinar.