Posted in:

Cloud security: shadowing Shadow IT

Public cloud services may well be harder to hack – but how are ongoing challenges like Shadow IT giving rise to additional cloud security vulnerabilities? Part 2 of a two-part Special Report. By James Hayes.

Shadow IT is another cloud-related security challenge that is now making a bigger blip on IT security risk-awareness radars. Despite its essentially illicit nature, Shadow IT has, nonetheless, had some success in normalising the broad notion of cloud-based enterprise computing solutions procured and deployed by staffers without the explicit approval of their IT departments, and paid for on their personal company credit cards.

Even as far back as 2016, the Logicalis Global CIO Survey suggested that Shadow IT is ‘now a fact of life for the majority of CIOs’: 90% of IT chiefs polled for that research admitted that they are ‘now by-passed by line-of-business colleagues at least occasionally’.

Subsequently, its proponents sought to re-label Shadow IT less threateningly as ‘flexible IT’ or even ‘devolved IT’, and rather than try to quash the grassroots trend, caught-in-the-middle CIOs were advised by their executive masters to instead enfold it into their management plans. More fatalistic IT chiefs have thought hard about bringing Shadow IT under the remit of ‘progressive’ enterprise IT strategies, but may retain an anti-Shadow stance toward those c-suite execs susceptible to tell of Shadow IT’s perceived business benefits.

Those c-suiters with cyber governance nous, however, were and are less likely to be won over by unquantifiable claims put forward by the pro-Shadow lobby; rather, as an expectation arises that – even though they have no innate influence over, or knowledge of, Shadow IT adoption – they should assume responsibility for remediating security-related incidents where Shadow is the known cause, they feel the need to bring forward countervailing arguments more stridently. As Shadow IT proliferates, so too have the potential system security-related issues that it is likely to cause.

The Oracle/KPMG Cloud Threat Report 2019, meanwhile, reckons that Shadow IT is ‘here to stay’, and will continue to flourish independent of attempts by the IT security function to control usage with policies, despite the specific jeopardies it presents to data protection and security governance regulations that have come into force since 2016. The challenge of stemming the tide of Shadow IT is evidenced by the lack of adherence to policies. Business units that use non-approved cloud services and apps for business purposes blatantly ignore the rules, the Cloud Threat Report reminds its readers.

Even though most organisations now have a formalise policy to review and approve cloud applications, there has been a substantial year-over-year increase in the concern that such policies are being ignored, violated. Indeed, the 92% of research participants reporting concern that their company has individuals, departments, or lines-of-business in violation of their security policies for the use of cloud applications is a notable 10% point increase from last year’s research (see Cyber Security Europe Spring 2019 issue).

But is the concern that individuals, departments, or lines of business are not following policies, resulting in actual Shadow IT application usage? A sizeable 69% of organisations stated that they are aware of a ‘moderate’ or ‘significant’ amount of Shadow IT apps, with another 15% stating they are aware of a few such apps in use.

All that notwithstanding, use of Shadow IT applications has had adverse consequences. The findings in the Cloud Threat Report 2019 survey results clearly indicate that Shadow IT has led to the very outcomes cyber security personnel aim to guard against. Exactly 50% of the respondent organisations report the use of shadowy apps ‘has led to unauthorised access to data’, which is easy to understand when tools like Enterprise File Sync and Sharing (EFSS) services are widely used to share corporate data internally and externally, for instance.

Nearly as many organisations polled – 47% – report ‘actual loss of data due to the use of Shadow IT apps’. Such incidents include storing sensitive corporate data in an unauthorised personal cloud application – data that is lost, should a Shadow-inclined employee move on. Shadow IT has also often resulted in the introduction of malware (48%), as malevolent threats employ cloud apps as a cyber attack vector.


Another noteworthy point with regard to the implications of Shadow IT is the ongoing fundamental difference in perceptions between CISOs and CIOs, with CISOs generally of the view that Shadow IT is more problematic than do CIOs. CISOs report incidents caused by Shadow IT apps at more than twice the frequency of CIOs (23% versus 10%). CIOs may, in fact, even see a budgetary benefit from the use of Shadow IT apps, with the cost being submitted as a business expense rather than a funded IT line item.

CISOs are unlikely to make such a distinction as they feel responsible for securing all applications and services in use, whether they are approved or unauthorised. Wherever the buck might be supposed to stop, the risks Shadow IT poses are cyber security risks, and so CISOs and their teams are bound to be most sensitive to them; CIOs, arguably, must balance the proliferation and propensity toward Shadow IT against some other considerations.

For instance, does it help a workgroup achieve productivity targets? What is the evidence that even known exploits result in security breaches? Does Shadow IT represent acceptable or unacceptable risk? There can be little doubt that these differences of opinion between chief officers are informing lively debates in many board and c-suite executive meetings.


Research in a study by Snow Software, also found that most global workers are ‘going rogue’ with cloud applications despite having been made aware of the potential business risks their actions could result. Rogue Resourceful surveyed 3,000 professionals in Europe, Asia/Asia Pacific and the US, uncovered stark contrasts between the mindset of large sections of today’s workforce and the priorities of IT security leadership.

This rift is especially notable in younger ‘millennial’ employees, who are almost twice as likely to go circumvent the security ground-rules than older workers: 81% of those millennials polled admit they have used or accessed something on their work device without proper permission versus just 51% of seniors who have done the same.

However, Rogue Resourceful also found that exec-level employees – for example, senior manager, director, vice president – were almost twice as likely to use unauthorised professional or personal applications compared to middle-ranking respondents (e.g., entry-level, associate or specialist staffers). At senior levels, c-suite executives (including Presidents and Vice Presidents) led the way in using work apps (57%) and personal apps (51%) on their work device without properly authorised permission from their IT managers.

There is a disconnect between workers’ behaviour and understanding the business risks of unsanctioned and unmanaged technology. For example, just 7% of the executives polled said that they do not think it causes any business issues – yet 57% have engaged in that exact behaviour by downloading work applications and software without IT’s permission.