Monday, 23 October 2023

The problem of shadow IT – and how to get the human factor right in cyber security

How can organisations better engage with their staff to improve their cyber-security posture? We consider some changes you can implement, in this blog...

Here at Grant McGregor we are believe that your staff play a vital role in your cyber security defence.

While awareness training and a good reporting culture are staples of this approach, there are other behavioural activities that an organisation must address in order to strengthen its cyber-security posture.


The UK’s National Cyber Security Centre (NCSC) has stated that “the traditional ways of engaging people in cyber security do not create enough of a behavioural change.”

So how can organisations better engage with their staff to improve their cyber-security posture? In this blog, the Grant McGregor team considers some changes you can implement.


Engaging with staff to strengthen your cyber security posture

One of the biggest challenges in ensuring good, consistent cyber security is the issue of shadow IT. 

What is shadow IT? According to the NCSC, shadow IT (or 'grey IT') "refers to the unknown assets that are used within an organisation for business purposes". This is a really problematic cyber-security risk because it means that you don’t even have a full understanding of what you need to protect.

Today, shadow IT isn’t just the problem of rogue devices on the corporate network – it’s also all the ways your users are storing sensitive, enterprise data in their personal cloud accounts and elsewhere in non-sanctioned solutions.

So how can you prevent these kinds of behaviours?

The NCSC recommends that “where shadow IT is discovered, it’s important that you don’t reprimand staff”. That’s because “If you blame or punish staff, their peers will be reluctant to tell you about their own unsanctioned practices – and you’ll have even less visibility of the potential risks.”


Carrot – not stick

That’s why – as we discussed in a recent blog – it’s really important to establish a good culture of cyber security in which staff are encouraged to report suspicious cyber activity. Moreover, as the NCSC emphasises, staff must feel free to “communicate openly about issues (including where current policy or processes are preventing them from working effectively).”

By encouraging staff to explain the issues they face which drive them to make use of shadow IT solutions, you can implement organisational mitigations to solve the real business challenges your users are grappling with.

IT needs to work with line-of-business managers to address the user needs properly so they don’t resort to shadow IT to address them. This way, you have greater visibility of all the risks and much better data governance.

In addition, argues the NCSC, organisations can offer real-time interventions to gently steer users away from insecure behaviours as they happen. Technical solutions can be deployed to address the use of unsanctioned, unknown and unsecured devices and services – including tighter access controls, asset management and computer-based training. 


Get your own house in order first

One often-overlooked shadow IT risk can originate from the IT department itself. 

As Proofpoint’s The Human Factor 2023 report makes clear, “At many organisations, the presence of misconfigured or ‘shadow’ admins brings additional risk to credential theft. Local administrators are often missing from privilege account management solutions. And some admin accounts may not be known to IT departments at all, with privileges either misapplied or left in place after a role change. As many as 40 percent of these shadow admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13 percent of shadow admins were found to already have domain admin privileges.”

This is worrying because Proofpoint’s research found that 26 percent of endpoints and exposed accounts with some kind of exploitable identity risk were domain admins.

Technology can offer solutions here too – helping you stay on top of user accounts, user privileges and endpoints. Ultimately, however, dealing with shadow IT successfully rests on the human factors: education, awareness raising, the clear communication of best practices and an open dialogue in which staff are encouraged to discuss issues and highlight workarounds – so that their needs can be properly addressed by the IT team.


What next?

If you’d like help dealing with issues around shadow IT or in strengthening your organisation’s cyber security posture, please get in touch with the Grant McGregor team.

Call us: 0808 164 4142

Message us: 

Further reading

You can find more ideas and advice about cyber security elsewhere on the Grant McGregor blog. Including these articles published for Cybersecurity Awareness Month 2023: