The NCSC has published guidelines warning against so-called "shadow IT". Is it a threat, or could SaaS management make it an opportunity?
The UK's National Cyber Security Centre (NCSC) has published new guidance to increase awareness of "shadow IT" (what we prefer to think of as "business-led IT") among UK organizations. By calling the unauthorized use of software-as-a-service (SaaS) solutions "shadow IT" the NCSC puts such use in a negative light, but is it really the menace it seems?
Empowering your employees to choose the best solutions to their unique problems has various benefits:
- your expert talent will be better able to choose the right toolset for their work
- self-service tools require far less maintenance and training
- SaaS solutions are often cheaper than on-premise options
Yet, there remains a risk to letting your business lead your application choices. SaaS solutions still need to be vetted for security and regulatory compliance, and you need to manage your spend.
The best way to do that is using the LeanIX SaaS Management Platform (SMP) to discover and manage all the applications your employees are using throughout your organization. To find out more, read:
DOWNLOAD: How To Enable Business-Led IT Through SaaS Management
Let's explore the NCSC view on the dangers of "shadow IT" and how the LeanIX SMP can turn those risks into opportunities.
The NCSC View On "Shadow IT"
The UK National Cyber Security Centre's (NCSC) new guidelines refer to business-led IT as "shadow IT" or "grey IT". All three terms refer to unknown hardware and software assets used within your organization for business purposes.
Most often, these will be software-as-a-service (SaaS) tools, since these are easy for your team to acquire and implement without technical support. As software becomes more self-service and user-friendly, shadow IT becomes more common.
BYOD Vs Shadow IT
The NCSC is keen to note that Bring Your Own Device (BYOD) policies and shadow IT are very different. BYOD entitles employees to securely use company-approved applications on their personal mobile phone or other device under supervision.
Shadow IT, on the other hand, involves employees circumventing security policies without approval or supervision. This might cause no security issue or it might be a critical risk, but the concern is: IT does not know.
Why Do People Use Shadow IT
There are often business-critical reasons why shadow IT is used. For example:
- An employee may prefer to use the free version of Asana for tracking their personal tasks, even when Jira is your company's approved application
- Your preferred video conferencing tool may be Microsoft Teams, but if a client had technical difficulties joining a call, a free Zoom license may enable an important meeting
- A partner may need an important file that's too large to email to them, but an employee's personal Dropbox account could offer a solution
Using these tools as a shortcut to complete an essential business task is a worthy cause. It does, however, carry a risk.
The NCSC warns of the dangers of both data theft and exploitation from shadow IT. Without proper supervision, unauthorized applications could be exploited to allow access to your systems and private data. As an NCSC blog post explained:
"Whatever format it takes, if shadow IT is prevalent, then risk management becomes very difficult because your organisation won’t have a full understanding of what you want to protect."
"Simon B", Security Researcher, NCSC
Is The NCSC Right?
The UK's National Cyber Security Centre (NCSC) refers to shadow IT as "clearly not desirable". However, the NCSC also suggests that the rise of shadow IT in your organization can be an indication that your current toolset isn't sufficient.
Rather than punishing employees who use shadow IT tools, or discouraging their use, we should see their need to use unsanctioned tools as a blocker to their optimum performance. The role of IT is to provide the technology tools that our employees need to succeed.
As the NCSC explained:
"Where shadow IT is discovered, it’s important you don’t reprimand staff. If you blame or punish staff, their peers will be reluctant to tell you about their own unsanctioned practices, and you’ll have even less visibility of the potential risks."
"Simon B", Security Researcher, NCSC
If the unauthorized application or device that your team chose to use is the right one for the task, then our role is to support, secure, and optimize its use. Software-as-a-service (SaaS) tools can often save money on hosting, maintenance, and training, so once we shine a light on shadow IT, it can become desirable.
LeanIX SMP: Opportunity From Shadow IT
The UK's National Cyber Security Centre (NCSC) prescribes that shadow IT is only undesirable because it lacks oversight from your IT and security teams. If you can discover and track all the Software-as-a-service (SaaS) applications in use across your organization, then shadow IT is no longer a concern.
That's why the LeanIX SaaS Management Platform (SMP) was designed to connect to all your organization's systems and perform continuous SaaS discovery to find all the "shadow" applications your employees are using. Once discovered, you can manage and secure all the tools to remove any risk.
Furthermore, you can find and eliminate duplication SaaS applications in order to optimize your budget spend by up to 30%. This means you don't need to be afraid of shadow IT any more.
To find out more about what the LeanIX SMP can do, download our free whitepaper: