Sarah Hewitt, Director in the Major Risks Practice of Gallagher, recently discussed the topic of Shadow IT with Mark Lawrence of Travelers Insurance.
Shadow IT

What is Shadow IT?

‘Shadow IT’ is when IT projects are conducted outside of compliance with official company policies and without oversight from the company’s corporate IT function.

Historically, corporate IT has maintained tight control over all enterprise hardware and software, but some of this responsibility has now shifted to non-technical business managers, who find the productivity, affordability and ease-of-use benefits of shadow IT too compelling to ignore.

Below are some factors that created Shadow IT in the first place:

  • Understaffed IT departments.
  • Bureaucratic approvals process.
  • The rise of shadow application development. Either through developers in their own department to circumvent long IT development turnaround times or external software development firms, providing them shorter development cycles and more personalized service than corporate IT.
  • Everything or Anything-As-A-Service. Many vendors have expanded their cloud services even further to include platform, storage, desktop and disaster recovery.
  • Byod (Bring Your Own Device). The business can benefit as it shifts the cost of voice and mobile data services from the company to the employee.

What are the threats?

  • Substandard Development Techniques. When business unit managers order a shadow development project, they are essentially putting themselves in the position of evaluating the programming effort – not just for functionality, but for security- a skill few non-technical managers have.
  • Over-reliance on Shadow Cloud Provider Security. Security is a shared responsibility; the cloud buyer must educate their self and their teams on how to use the new infrastructure securely.
  • Unsecured Shadow File Storage. Because email is a favourite target of malware developers, network administrators routinely prevent executable and large files from being sent through corporate email servers. In response to these restrictions, employees simply create personal accounts on cloud file-sharing platforms such as Dropbox or Google Drive.
  • Unsecured Shadow Mobility. When employees access corporate systems and data on their personal mobile devices with no security controls in place, they cross the line into unsecured shadow mobility.
  • Use of Pre-Hacked Shadow USB Drives. Thieves with knowledge of company directory structures can program the device to capture and send untold amounts of company data wherever they want within seconds.

What are the risks?

  • Bodily Injury - Internet of things. Shop floor operations in manufacturing companies often feature programmable robotics for more efficient assembly operations. These machines are connected to company networks as well, making them susceptible to malicious attacks.
  • Technology Professional Indemnity. A company can be held liable for causing economic loss to others as a result of failure to take reasonable security precautions. It can also stem from a failure of security systems to work as intended due to an error, omission or negligent act.
  • Cyber Risk. Shadow IT is a favourite playground for hackers and cyber thieves and it can endanger a company’s intellectual property and sensitive customer or employee data.

How can you minimise these exposures?

Risk management can be broken down into 4 areas:

  • Internal policies and personnel management - Establish and enforce corporate policies and procedures that cover the most common types of Shadow IT usage.
  • Vendor Management Practices - Vet and establish an approved vendor list and vet their security practices and use contract terms and conditions that hold them financially responsible for security, patches and upgrades.
  • Technical assets and capabilities - Perform comprehensive threat analysis, inventory all technical assets and consider creating own cloud-based file-sharing alternatives to Dropbox or Google Drive.
  • Review Contract Practices - These can impact the technology Professional Indemnity risk.

What about insurance?

Shadow IT is everywhere, the risks can be difficult to see, much less manageable and hackers worldwide are coming up with new and creative ways to take advantage of the vulnerabilities Shadow IT creates.

Companies can investigate insurance options with their insurance broker. Consider the following:

  • Companies can investigate insurance options with their insurance broker. Consider the following:
  • Cyber Risk 1st party Network Security
  • 3rd party cyber media liability
  • Products Liability

Shadow IT has the potential to bring business benefits to companies, as long as the risks are understood and managed. For more information about Shadow IT please get in touch with your usual Gallagher representative.