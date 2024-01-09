“Employees who use applications, devices or cloud services that are not approved by the IT department, believe that if those IT products come from trusted providers, they should be protected and safe. However, in the ‘terms and conditions’ third-party providers use the so-called shared responsibility model. It states that, by choosing I agree users confirm that they will perform regular updates of this software and that they take responsibility for incidents related to the use of this software (including corporate data leakages). But at the end of the day, businesses need tools to control the shadow IT when it’s used by employees. KasperskyEndpoint Security for Business and Kaspersky Endpoint Security Cloud, offer this control with application, Web and Device control functions that limit the use of unsolicited apps, websites and peripherals. The Information Security department will of course still need to conduct regular scans of their company’s internal network to avoid the unauthorized use of uncontrolled and unsafe hardware, services and software applications.” comments AlexeyVovk, Head of Information Security at Kaspersky.

In general, the situation with the widespread usage of shadow IT is complicated by the fact that many organizations do not have any documented sanctions where their employees will suffer as a consequence of going against IT policies in this matter. Moreover, it is assumed that shadow IT could become one of the top threats to corporate cybersecurity by 2025. The good news is that the motivation for employees to use shadow IT is not always malicious, even more often, it’s the opposite. Employees in many cases use this as an option to expand the functionality of the products they use at work because they believe that the set of allowed software is insufficient, or they simply prefer the familiar program from their personal computer.

To mitigate the risks of using shadow IT in an organization, Kaspersky recommends:

Ensure cooperation between the business and IT departments to regularly discuss new business needs, and obtain feedback on the IT services used, to create new and improve existing IT services needed by the business.

Regularly conduct an inventory of IT assets and scan your internal network to avoid the appearance of uncontrolled hardware and services.

When it comes to personal employee devices, it's best to give users as limited access as possible to only the resources they need to do their jobs. Use an access control system that will only allow authorized devices onto the network.

Carry out training programs to improve the information security literacy of employees. To boost security awareness among employees, educate them with the Kaspersky Automated SecurityAwareness Platform training program, which teaches safe internet behaviour.

Invest in relevant training programs for IT security specialists. Kaspersky Cybersecurity for ITOnline training helps build up simple yet effective IT security-related best practices and simple incident response scenarios for generalist IT admins, while Kaspersky Expert Training equips your security team with the latest knowledge and skills in threat management and mitigation.

Use products and solutions that allow you to control the use of shadow IT within your organisation. Kaspersky Endpoint Security for Business and Kaspersky Endpoint SecurityCloud offer Application, Web and Device controls which limit the use of unsolicited apps, websites and peripherals, significantly reducing infection risks even in cases where employees use shadow IT or make mistakes due to a lack of cyber safe habits.

Organize a centralized process for publishing self-written solutions so that IT and InformationSecurity specialists learn about them promptly.

Limit the work of employees with third-party external services and if possible, block access to the most popular cloud information exchange resources.