Shine Light on IT!
Understanding what technology, data, applications, and services your organisation needs to protect is one of the foundational steps in managing cyber risk. However, this crucial first step often proves challenging for technology teams. While your technology experts can typically provide the board with an inventory of the technology assets they have procured and maintain, they frequently encounter a significant obstacle known as "Shadow IT"—systems, applications, or services that are introduced and used without the organisation’s formal approval or knowledge. These unauthorised technologies include:
Unapproved cloud services like file storage or collaboration tools,
Self-developed solutions such as complex Excel spreadsheets,
Self-installed applications or devices not covered by Bring Your Own Device (BYOD) policies.
Shadow IT is a common challenge across organisations and poses serious risks to cybersecurity. The absence of documentation, oversight, and maintenance for these unauthorised technologies significantly hinders the organisation’s ability to prevent cyber incidents and makes recovery from an incident harder.
Why you should reframe this as Un-Authorised Technology
While every light casts a shadow, this issue of incomplete technology oversight is not inevitable. By reframing Shadow IT as "Un-Authorised Technology," we shift the perspective to one that encourages action. This term emphasizes that unauthorised technology use is not an inevitable outcome—it is a solvable issue that can be actively managed. The board should take an active role in addressing this, ensuring accountability, compliance and requesting regular updates from their executive team.
How collaboration can reduce Cyber Risks
Addressing Un-Authorised Technology requires understanding why employees bypass approved systems. Common reasons include slow responses from technology experts to requests from business, budget constraints, and client demands. Instead of punishing this behaviour, the board should encourage collaboration to identify root causes and develop solutions. This investigation, with guidance from resources like the National Cyber Security Centre [1], should lead to actionable insights and a tailored action plan. Potential actions might include [2]:
Creating safe spaces for employees to communicate their technology needs,
Establishing clear protocols for handling situations where rules are bent,
Approving a policy for fast-tracking Un-Authorised IT into the mainstream,
Encouraging and rewarding teams that research, test and implement technology in collaboration with the technology team,
Offering comprehensive training on policy adherence and cyber awareness.
Technology as an Ally
Technology is available [1] to assist your technology experts in essentially two different ways:
Restricting access to the organisation’s network and data for unauthorised technologies,
Detecting Un-Authorised Technology by monitoring network activity and cloud service logins.
However, it is important that detection technologies are used in conjunction with collaborative process improvements, as discussed earlier. Encouraging open dialogue between the business and technology teams can foster a culture of cooperation rather than positioning the technology team as a gatekeeper. This approach allows the board to contribute to creating a more secure, compliant technology environment while reducing cyber risks through efficient oversight practices.
[1] National Cyber Security Centre, Guidance Shadow IT, https://www.ncsc.gov.uk/guidance/shadow-it
[2] Shadow IT & How To Manage It Today, Splunk (Cisco), 2024, https://www.splunk.com/en_us/blog/learn/shadow-it.html