No, Shadow IT Isn't Going Anywhere: What CISOs Must Do Now

Apu Pavithran, CEO and Founder, Hexnode

September 13, 2023

3 Min Read
Shadow of a hand on a white wall. Five fingers. Stop.
Elly Miller via Alamy Stock

Businesses today are battling to maintain visibility over their networks and endpoints. But shadow IT further complicates things. This clandestine practice, which sees employees use technology and applications beyond the purview of IT, poses significant risks to data security and business operations.

The allure of shadow IT lies in its promise to elevate efficiency and versatility. Driven by the need to accomplish tasks effectively, employees often turn to unsanctioned software or cloud services without fully comprehending the risks. The intention is pure, but the result can be downright dangerous.

Just look at the latest and most popular iteration of shadow IT: generative AI. Earlier this year Samsung found its employees sharing their source code with ChatGPT to check for errors and consolidate meeting minutes. This is particularly concerning since the AI tool uses its prompts to then train its models. Therefore, these seemingly innocent prompts constitute a major data leak.

The truth is that shadow IT isn’t going anywhere. So, let’s look at how enterprises can take decisive action and protect themselves in the remote age.

The Evolution of Shadow IT

 Shadow IT morphs and mutates with new technology. In earlier years, shadow IT was characterized by isolated instances of employees using personal email accounts or removable drives. Then, the cloud brought it mainstream with software as a service (SaaS). Every day, more and more applications are available, and team members frequently install and use them without consulting the IT department.

Remote work only makes matters worse. For users, it’s much easier (and tempting) to bypass company policy from the comfort of their homes. Studies show that the use of shadow IT grew by almost two-thirds due to the pandemic boom of remote work.

And now there’s a new threat. In this era of generative AI, employees are liberally experimenting with work tasks and the power of ChatGPT. Regardless of productivity improvements, adopting these tools often flies in the face of IT clearance procedures. According to research, 7 out of 10 workers using ChatGPT aren’t telling their supervisors. All the while, enterprise data is less secure across third-party services.

What Cybersecurity Leaders Must Do Now

The good news is that cybersecurity leaders can -- and must -- fight back. First, they need to regain visibility. This is possible by monitoring the corporate network to detect anomalous activity, software downloading and installation, as well as data and workload migrations.

Then, with newfound visibility, IT can get to work. This involves setting security alerts and blocklisting specific applications and websites. For example, these simple yet powerful measures can effectively target known entities like ChatGPT.

In our constantly evolving digital landscape, however, new websites and applications emerge regularly. Thus, solely relying on blocking these entities may not suffice. To address this vulnerability, it's crucial to employ data protection tools that secure data while it's in transit, ensuring sensitive information remains shielded from unauthorized access or exposure.

Additionally, enforcing restrictions that prevent the transfer of data to unapproved devices or applications enhances the overall security posture.

Remember: Employees Will Disobey

 Customizations only solve one part of the problem. The other is the human element. Ultimately, shadow IT remains with us because employees don’t always listen. They want to leverage new efficiencies and enhance their output. They need to understand, though, that the ends don’t justify the means. Cybersecurity leaders must therefore foster a culture of security awareness, one which treats employees as the first line of defense.

Leaders: Do your best to understand why employees turn to unsanctioned tools and investigate secure alternatives. In addition, bridge the gap between security protocols and employee demands with interactive training sessions.

Remember that an adversarial stance only exacerbates the problem. Instead, collaborate with other departments to understand their software requirements and help tailor approved solutions. This approach fosters a sense of partnership rather than enforcement.

Enterprises today must strike the right balance between technical fortifications and human understanding. With new tools like ChatGPT tempting our employees more than ever, cultivating a security-conscious strategy is essential to curb the draw of shadow IT.

About the Author

Apu Pavithran

CEO and Founder, Hexnode, Hexnode

Apu Pavithran is the founder and CEO of Hexnode. Recognized in the IT management community as a consultant, speaker, and thought leader, Apu has been a strong advocate for IT governance and Information security management. He’s passionate about entrepreneurship and spends significant time working with startups and empowering young entrepreneurs.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights