The NCSC has published guidelines warning against so-called "shadow IT". Is it a threat, or could SaaS management make it an opportunity?
The UK's National Cyber Security Centre (NCSC) has published new guidance to increase awareness of "shadow IT" (what we prefer to think of as "business-led IT") among UK organizations. By calling the unauthorized use of software-as-a-service (SaaS) solutions "shadow IT" the NCSC puts such use in a negative light, but is it really the menace it seems?
Empowering your employees to choose the best solutions to their unique problems has various benefits:
- your expert talent will be better able to choose the right toolset for their work
- self-service tools require far less maintenance and training
- SaaS solutions are often cheaper than on-premise options
Yet, there remains a risk to letting the business have a completely free hand in choosing applications. SaaS solutions, like any solution, need to be vetted for security and regulatory compliance. And, of course, someone needs to keep an eye on spend.
The best tool for doing all that (we humbly believe) is LeanIX SaaS Management Platform (SMP). SMP can help discover all the SaaS your teams use as well as manage the contracts and renewals associated with them.
Let's explore the NCSC view on the dangers of "shadow IT" and how LeanIX SMP can turn those risks into opportunities.
The NCSC View On "Shadow IT"
The UK National Cyber Security Centre's (NCSC) new guidelines refer to the unauthorized purchase and use of applications as "shadow IT" or "grey IT." Most often, these applications are software-as-a-service (SaaS) tools, since SaaS is easy for your team to acquire and implement without technical support. As software becomes more self-service and user-friendly, according to the NCSC, the footprint of "shadow IT" in any given organization grows.
BYOD Vs Shadow IT
The NCSC is keen to note that Bring Your Own Device (BYOD) policies and shadow IT are very different. BYOD entitles employees to securely use company-approved applications on their personal mobile phone or other devices under supervision.
Shadow IT, on the other hand, involves employees circumventing security policies without approval or supervision. This might represent a security issue or it may not, but the real concern is this: IT does not know.
What's Behind The Rise Of Shadow IT?
There are often business-critical reasons why employees turn to shadow IT. For example:
- An employee may prefer to use the free version of Asana for tracking their personal tasks, even when Jira is your company's approved application
- Your preferred video conferencing tool may be Microsoft Teams, but if a client had technical difficulties joining a call, a free Zoom license may enable an important meeting
- A partner may need an important file that's too large to email to them, but an employee's personal Dropbox account could offer a solution
Using these tools as a shortcut to complete an essential business task is a worthy cause. It does, however, carry a risk.
The NCSC warns of the dangers of both data theft and exploitation from shadow IT. Without proper supervision, unauthorized applications could be exploited to allow access to your systems and private data. As an NCSC blog post explained:
"Whatever format it takes, if shadow IT is prevalent, then risk management becomes very difficult because your organisation won’t have a full understanding of what you want to protect."
"Simon B", Security Researcher, NCSC
Is The NCSC Right?
The UK's National Cyber Security Centre (NCSC) refers to shadow IT as "clearly not desirable." However, the NCSC also suggests that the rise of shadow IT in your organization can be an indication that your current toolset isn't sufficient.
Rather than punishing employees who use shadow IT tools, we should see their need to use unsanctioned tools as a symptom of something deeper. The role of IT is to provide the tools that employees need to succeed. If an employee has struck off on their own, it may mean they don't have what they need.
As the NCSC explained:
"Where shadow IT is discovered, it’s important you don’t reprimand staff. If you blame or punish staff, their peers will be reluctant to tell you about their own unsanctioned practices, and you’ll have even less visibility of the potential risks."
"Simon B", Security Researcher, NCSC
If the unauthorized application or device that your team chose to use is the right one for the task, then IT's role is to support, secure, and optimize its use. Software-as-a-service (SaaS) tools can often save money on hosting, maintenance, and training. Instead of seeing it as exposing risk, shining a light on shadow IT may reveal the answer to a question no one had asked out loud.
