Software

4 Tips for Controlling Shadow IT

Users going rogue with hardware and downloads becomes a concern for K–12 IT shops.

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

For a K–12 IT department, one of the biggest security threats may be as sinister as it sounds.

Shadow IT — the term for hardware, software and applications acquired by an organization’s users without going through the IT department — has become common, especially with the rise in inexpensive computing devices and widely available mobile and cloud-based apps.

In fact, Gartner recently estimated that, on average, 40 percent of IT spending at companies is on shadow IT. It’s likely that in K–12 school districts, where IT is typically more physically and logically distributed than in the average company, shadow IT may be even more widespread.

Shadow IT is a concern because it circumvents many standard processes — notably, security. If the school district’s IT staff doesn’t know the technology is being used, it can’t secure it or monitor and maintain its security over time. This makes shadow IT more susceptible to compromise and also slows the detection of successful cyberattacks, allowing more damage to take place. Additional problems may result from the use of mobile and cloud-based applications that use data in ways that people aren’t aware of or that don’t properly safeguard sensitive data.

Shadow IT can’t be eliminated, but it can be better controlled. Follow these tips to reduce the risks associated with the practice:

1. Make Sure to Vet Educational Apps

Vet applications and make it easy for people to acquire and use them securely. Students, teachers, staff and other users often take advantage of shadow IT because they don’t think they can get the apps they need through official channels in a timely manner. Unfortunately, they’re often right. With such a wide variety of mobile and cloud-based apps immediately available to users via shadow IT, the temptation to circumvent formal processes to avoid delay is extremely high.

To combat this, districts can perform their own vetting of in-demand applications. This can be as simple as ensuring the apps come from a reputable source and offer reasonable security and privacy protections for user data. A recent study by Symantec, the 2016 Shadow Data Report, found that most of the cloud-based shadow IT apps organizations rely upon lacked enterprise-class security features. Even cursory vetting should be able to identify these applications so a district can flag them as unsuitable.

For applications that pass vetting, districts should then determine how to secure them and then do what they can to make it easy for people to acquire and use them securely. For example, a district might be able to integrate vetted apps with its other IT resources, such as making them available through a district web portal or app store.

2. Educate Users on Shadow IT Risks

Most users aren’t aware of the security and privacy threats associated with shadow IT. Take phony apps, for example: An attacker could create a fake application or add hidden, malicious functionality to a good application. When users install the app, they inadvertently install malware on their device. Now the attacker has full access to the users’ data and devices, and can use that access to attack and compromise other district systems.

Unfortunately, it’s hard to get buy-in on security and privacy risks, which often seem abstract and unlikely. Here’s a more compelling argument against using shadow IT: It’s not supported by the district. If a user runs into a problem using shadow IT hardware, software or applications, the district usually can’t — or won’t — help if, for example, the rogue tools damage the user’s data or devices. There’s no way the district can be responsible for supporting every product and service people find on their own, which in a large district could easily number 1,000 or more. By using vetted applications, users can be sure of getting help when things go awry.

3. Enforce Network Access Restrictions

School districts can take measures to enforce restrictions on accessing shadow IT applications, although this is likely to be unpopular. One option is to configure network security technologies to prevent the use of selected shadow IT cloud-based services. It’s not possible to do this for all shadow IT services because there are many and they constantly change, but it may be feasible for a small number of popular, high-risk sites.

It’s also possible to restrict local apps on devices issued by the school district. For example, mobile devices can be set up to download software only from app stores the district has approved. Similarly, application whitelisting technologies can be configured to permit use of approved executables only. This not only prevents the use of shadow IT apps, but also stops malware from being executed.

4. Use Security Controls to Monitor for Threats

No matter what a school district does to educate its users, make vetted apps available and restrict shadow IT access, users will still find a way to leverage shadow IT.

School districts can lower the risks associated with shadow IT by employing security technologies that leverage threat intelligence feeds or reputation services. Such technologies monitor web traffic, email and other forms of communication to stop users from accessing malicious websites, domains and other internet-based resources. This helps to prevent users from being tricked into downloading malicious applications and infecting their devices with malware. Similarly, school districts can use anti-malware technologies, including anti-virus software and anti-spam services, to detect and stop malware-infected applications from being installed or run.

Dimitris66/Getty Images