Mitigating 'Shadow IT' Risks

Organizations need to strike a balance in permitting their staff to use so-called "shadow IT" that can help them be more productive while still exerting enough control over the technology to ensure that sensitive data is protected, says security expert Mac McMillan.

The controversy over Hillary Clinton's use of private servers for both her personal and sensitive government email while she served as secretary of the U.S. Department of State spotlights some important issues involving staff attempting to utilize unsanctioned "shadow IT" tools to perform their jobs, which is a common practice, McMillan says in an interview with Information Security Media Group.

"In the estimates I've seen ... 20 percent to 35 percent of the applications that organizations find in their environments is shadow IT, or applications that users have enabled for one business purpose or another," says McMillan, CEO of the security consulting firm CynergisTek and a former U.S. Department of Defense data security specialist.

"In most cases, they're not using it to get around something or to 'beat' something ... The most often given reason they turn to an application that's part of the shadow IT world is that they're literally trying to get their job done, and trying to find a better, more effective, more efficient way of doing it," he says.

Organizations in all sectors should expect that staff members will turn to shadow IT, so they need to address the risks involved.

"You need to strike a balance between giving your staff flexibility to be innovative and to use different tools that may make them more productive ... more efficient, and may produce a better product, while at the same time providing [the organization] with a level of control so that you don't go sideways in terms of a compliance requirement ... [safeguarding] financial information or protecting patient information," he says.

Critical Steps

Organizations need to communicate to their staff their policies regarding the use of "shadow IT" such as software-as-a-service, infrastructure-as-a-service, cloud storage and personal mobile devices connecting to their networks, he stresses.

To help address security, McMillan says, organizations should, for example, consider establishing "a secure way for people to access these different SaaS tools in an environment where it doesn't put the rest of the network at risk. Perhaps you create a part of your network that allows [users] to log into that."

Other mitigating controls, he says, include restricting the functionality of some applications that could put data at risk, forcing encryption before files can be stored and deploying data loss prevention tools.

"Most of these [shadow] apps are not the problem," he says. "If there are ways the user could acquire these applications in a safe manner, have them set up properly and use them in a smart fashion, then they're just like any other app."

In the interview, McMillan also discusses:

Common types of "shadow IT" found in healthcare entities and other organizations; When shadow IT is used with malicious intent; The use of shadow IT in other government agencies beyond the Department of State.

McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based consultancy specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of the Healthcare Information and Management Systems Society's privacy and security task force.