Questions to consider regarding Shadow IT

What is Shadow IT?

Shadow IT refers to IT devices and applications that an organization does not track or manage. In many cases, the organization does not even know these devices or applications exist. Furthermore, they cannot audit and track how these assets are being used.

Is it costing my organization money?

Gartner once estimated that 35% of enterprise IT expenditures will happen outside of the corporate IT budget in 2015.    However, there are organizations that believe shadow IT actually reduces costs.

Projects that use Shadow IT increasingly have the resources and bandwidth to build solutions on their own and can deliver them much faster. Thus reducing the budget that would otherwise be required for overall IT expenses. In other words, some say it is a wash.

Are there many risks created by shadow IT?

Let’s start by looking at the top security breaches in 2014 so far..

eBay

145 million customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company’s 145 million members.

Michaels Stores

The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack.

Montana Department of Public Health and Human Services

Names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people

Variable Annuity Life Insurance Co.

A former advisor used a thumb drive to obtain Social Security numbers and other details on 774,723 of the company’s customers.

Spec’s

Texas wine retailer’s network resulted in the loss of information of as many as 550,000 customers. Hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver’s license numbers.

St. Joseph Health System

Approximately 405,000 former and current patients’ and employees names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information.

When business processes are not under the control of a centralized IT or IS department, there is an increased risk that shortcuts will be taken, security procedures will be overlooked, and at least one or more of the security standards your organization adheres to will be compromised.

If we embrace Shadow IT, what Security Standards could we break?

  • FISMA (Federal Information Security Management Act of 2002),
  • GAAP (Generally Accepted Accounting Principles),
  • HIPAA (Health Insurance Portability and Accountability Act),
  • IFRS (International Financial Reporting Standards),
  • ITIL (Information Technology Infrastructure Library),
  • PCI DSS (Payment Card Industry Data Security Standard),
  • TQM (Total Quality Management), etc.

How should we approach the problem?

The bottom line is that you can’t secure something you don’t know about. It’s time for organizations to implement IT Asset Management processes. I suggest a three tiered approach which I will discuss in an upcoming blog.