Security

Getting to the Bottom of Shadow IT in K–12 Schools

Not all shadow IT presents the same level of risk. Here are five things K–12 IT managers struggling with it should know.

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Shadow IT is not inherently bad; it’s actually an opportunity for teachers, administrators and staff to be more efficient and better serve students. And the main objections to shadow IT — such as fragmented data silos, lack of support, opaque budgets and inconsistent data management — don’t apply to every shadow IT project.

What’s the Big Problem with Shadow IT?

The real issue with shadow IT is information security: The teachers, administrators and staff building shadow IT solutions are not aware of the security risks that they are creating by bringing unsanctioned hardware or software into the school environment.

Coordinating across all areas of IT is difficult enough when a technical team is responsible for configuration and security policy. When someone who isn't part of the IT team adds something to the mix, the potential for a major security incident skyrockets.

Click the banner to learn about the education industry's security readiness in a new report.

x-prrcloud-static-2024-whatcanyoulearn-desktop

x-prrcloud-static-2024-whatcanyoulearn-mobile

How Should K–12 IT Teams Approach Shadow IT?

By focusing on security risks, IT can bring everyone to the table with a shared perspective: Everyone wants to keep student data safe and private, and everyone wants to ensure that the school runs smoothly. This means that K–12 IT managers should prioritize areas of concern by focusing on shadow IT that may lead to a data breach or that could create risks in compliance or during an audit. Picking your battles to make the most impact is the best approach.

DIVE DEEPER: How K–12 IT leaders can reduce student data exposure.

What Are the Best Ways to Detect Undeclared Shadow IT?

The biggest security threats are going to come from devices sitting on your network that don’t belong there. Prioritize looking at firewall and intrusion prevention system (IPS) alerts and network scanning tools to discover what’s sitting on the network that doesn’t fit a normal user or approved server profile.

More important, dive deep on devices.

Don’t just take someone’s word for it: “Oh, that’s our security camera video system” or “Here’s a page on the vendor’s website of all the ports it needs open.”

When you identify something that isn’t fully understood and completely profiled, take the time to understand what is happening.

How Do I Deal with Shadow IT Devices That I Find on Our Networks?

Remember that simply declaring something “known” doesn’t mitigate the threat it may pose. It may not be “shadow” IT, but it doesn’t change overnight to a fully supported and secured system. Use network isolation tools, including firewalls and additional virtual local area networks to wall off devices, then study traffic and IPS logs to determine what access is needed and when.

You’ll be thrust into a world of imprecision and inaccuracy when dealing with vendors and end users, so be prepared to be patient.

Why Do I Have So Much Shadow IT?

No one goes into a shadow IT project thinking that they want to undermine security, so assume that people have good intentions but need better training and support. In other words, shadow IT often happens because IT isn’t meeting people’s needs in some way. As you find shadow IT, try to understand the root cause for the policy breach and communicate that upward to district management — even if it is “IT’s fault” sometimes.

Arthobbit/Getty Images