There has been a great deal of debate about the impact of shadow IT on a company’s bottom line.  Briefly defined, shadow IT is when software, systems, or services that would normally be procured and managed through an IT department are developed, installed or used without regards to input from IT or security.  Although advocates of shadow IT often cite the creativity and flexibility it affords employees, there are very real security concerns about technologies set up outside of normal IT processes.  Implementation without sufficient thought to security, interoperability, maintenance, or quality of output make shadow IT a poor choice for almost any business.

So, what is the best choice for a company?  The simple answer: it depends. While there is validity to both viewpoints in the debate, businesses should ultimately choose their direction based on the need for their system to maintain a baseline. This can be either in support of certification and legal requirements or, for meeting internal policies in treating sensitive or company proprietary data.

From a compliance perspective, there are major concerns with shadow IT. Employees procuring and implementing their own software, systems or services invariably fail to implement even rudimentary security controls such as changing default passwords, patch management, log correlation, or security monitoring.  Asset tagging and location tracking would also probably not occur to the casual user.  A lack of compliance can cause “findings” (noncompliance with regulations or procedures).   This can lead to audit failures, possible decertification of the system, loss of company proprietary or critical data, or loss of public trust in the business.

Systems and software placed on a network without IT/Security awareness will more than likely remain unpatched.  This can easily result in vulnerabilities and entry methods for threat sources.  Because logs for unknown systems likely aren’t sent to central correlation and aren’t regularly reviewed, intrusions or unauthorized access at these endpoints can go unnoticed for months, or might never be discovered at all!  Without proper log distribution, such intrusions may not be exposed unless and until the intruder attempts to jump to other protected and monitored nodes or subnets.

Business owners should be vigilant when it comes to what kind and how much shadow IT services are operating. In fact, in a recent Cisco survey of CIOs, most stated they estimated 50 cloud services were running in their company, when in fact it was over 730. Accommodating the latest trends, wants and needs of a workforce is nice to have but, not at the expense of your protection.