When it comes to managing hidden risk and shadow IT, our primary challenge as cybersecurity practitioners is securing the organization’s data and applications while empowering users to perform their duties efficiently. After all, one survey found that 67% of employees aren’t completely satisfied with their workplace tools and technologies—often resulting in the adoption of unsanctioned applications.
But shadow IT is not the enemy. Restrictive security policies and ineffective procurement or assessment processes are. In our guide titled “What’s Lurking in Your Environment? How Cyber Leaders Can Address Shadow IT & Hidden Risk” we provide you with a holistic understanding of hidden risks, and arm you with policy and strategy suggestions to protect your expanding digital footprint and infrastructure.
What’s more—we include our first-hand GRC perspective on shadow IT management. In this article, I want to share some insights into how we at Bitsight are navigating hidden risks, a topic that keeps many security teams on their toes every single day.
Shadow IT Management in Practice
At Bitsight, we don't just grapple with shadow IT—we confront it head-on. It's not just a technological challenge; it's a game of education, empowerment, and constant vigilance.
The key to addressing shadow IT is enabling visibility, transparency, and collaboration. Detecting hidden assets requires continuous monitoring and scanning of the enterprise—at scale, in a repeatable and manageable way. Manual processes or tools requiring oversight from a member of the IT department can be time-consuming, and can fail to monitor every corner of your enterprise.
Several solutions available on the market were designed for this purpose, with capabilities including:
- Extended infrastructure monitoring, to discover hidden assets and cloud instances
- Centralized data, to visualize the location of your organization’s digital assets, ideally broken down by vendor, geography, and business unit
- Data analytics, to identify areas of critical or excessive risk, determine areas of highest exposure, and prioritize remediation
As the digital supply chain continues to expand, managing cyber risk across its increasingly complex attack surface can be challenging. Cybersecurity leaders need to get a handle on risks across all digital assets irrespective of location—such as in the cloud, different geographies, subsidiaries, or suppliers, and across remote workforces and regulatory jurisdictions.
“Blocking access can create unnecessary user friction within the organization and cause employees to circumvent processes further. We need to empower users to use sanctioned tools and work with them to identify shadow IT to enable the organization safely.”
Processes and guidelines should be documented in a strong shadow IT policy, which needs to be acknowledged by new hires during onboarding and by all staff on an annual basis. As an example, Bitsight has established internal policies, namely our Code of Conduct, Acceptable Use Policy, and Vendor Review Policy, to address hidden risks. These policies play a crucial role in educating users about the nature of data our company handles and processes, emphasizing the collective responsibility to safeguard it. They also delineate the roles and responsibilities pertaining to data protection and compliance obligations.
To identify instances of shadow IT, Bitsight leverages its products. Utilizing Security Performance Management (SPM), we can pinpoint potential shadow IT risks through various vectors, such as Desktop Software and Server Software. These risk vectors enable us to detect unsanctioned vendors not included in our internal Vendor Risk Management (VRM) program. The Vendor Discovery tool within Continuous Monitoring (CM) further aids in confirming existing vendors and uncovering potential unsanctioned ones by cross-referencing against our CM and VRM vendor lists.
Beyond Bitsight’s applications, we deploy tools like Mobile Device Management (MDM) software and a Cloud Access Security Broker (CASB). MDM software is strategically placed on all endpoints to identify locally installed software, with the capability to block any unauthorized installations. Our CASB, integrated into all user endpoints, surveils applications via web traffic, providing usage statistics and reports. This allows us to identify users employing non-sanctioned applications, monitor frequency, and scrutinize processed data. The CASB also empowers us to block traffic to specific categories of web activity (e.g., gambling, crypto-mining) or implement URL block lists.
Users may resort to alternative tools to achieve their objectives, and as part of our Governance, Risk, and Compliance (GRC) team, we take on the responsibility of devising practical solutions. This involves making users aware of sanctioned tools they might not be familiar with or guiding them to collaborate with their managers to procure a vendor if no viable alternative exists. Our commitment is to provide users with the means to excel in their roles while maintaining the highest cybersecurity standards.
What’s Lurking in Your Environment? How Cyber Leaders Can Address Shadow IT & Hidden Risk
Managing hidden risk and shadow IT is a tightrope walk between enabling our teams and securing our fort. And if you're curious to dive deeper into this dance, our latest ebook is not your average tech read; it's a journey through the minds of cybersecurity warriors sharing experiences, battle-tested strategies, and a roadmap to mastering the shadows.
You will get insights around:
- Understanding Hidden Risk: Delve into the very essence of shadow IT, unraveling its origins, and exploring real-life examples of hidden risks.
- Managing Hidden Risk Holistically: Learn how to discover and identify shadow IT within your network. Build robust policies and take practical steps to mitigate the risks.
- Bitsight Solutions to Address Hidden Risk: Get a backstage pass to Bitsight’s arsenal and explore our solutions designed to tackle hidden risks head-on.
As we navigate an evolving threat landscape, remember, it's not just about challenges; it's about seizing the opportunity to fortify, adapt, and elevate our cybersecurity game. Are there opportunities to embrace shadow IT and improve our tech stack? Are there better ways to seamlessly enable our workforce?