Beyond Shadow IT: Navigating the New Risks of Shadow AI

The Unseen Landscape

Shadow IT is the tech term buzzing around offices lately. It's basically any application, software, or gadget your team is using without the IT department's blessing. For example:

• Using personal devices like laptops, smartphones, and storage devices (USB disks, external hard drives) to access, store or transmit work data.
• Using cloud applications like productivity tools (Trello, Monday.com), cloud storage (Dropbox, Google Drive, iCloud), file-sharing (ShareFile, WeTransfer) or even generative AI (ChatGPT, Gemini) without IT approval.
• Setting up personal Wi-Fi hotspots, cloud servers (AWS, Azure, Google Cloud), or other IT resources without IT authorization.
• Holding work meetings through unauthorized video conferencing when the organization uses a different approved service, or creating unofficial work group chats without IT approval.
• Sharing work files on personal cloud storage accounts or forwarding work emails to personal email accounts.

Yes, there's potential upside, but also serious risk that organizations need to tackle head-on.

Why Shadow Grows

It's no wonder shadow IT has taken off. Employees are increasingly frustrated with the clunky tech their organizations offer. The simplicity and speed of cloud services just make it more tempting.

A few factors seem to be pushing employees towards these unofficial tools:

• Slow, outdated tech: No one wants to wait for IT to catch up.
• Bureaucracy: Getting new tools approved? Nightmare.
• Need for speed: In a fast-moving market, you need tech that can keep up.
• Risk? What risk?: Most people don't even realize the security dangers.

The Dark Side

The supposed upsides of shadow IT often hide some nasty dangers, with serious consequences for organizational security.

• Unofficial applications and devices create vulnerabilities, making data breaches, cyberattacks, and regulatory headaches more likely.
• A fragmented IT environment, with all sorts of systems running rogue, is a recipe for wasted time, duplicated work, and a total lack of direction.
• Using tools that aren't sanctioned can land you in hot water with software licenses and data laws, leading to fines and reputational damage.

Silver Linings

Shadow IT isn't entirely without its merits, however. It can actually boost productivity and make employees happier by letting them use the tools they prefer. This can speed up innovation, make organizations nimbler, and maybe even cut IT costs.

Think of shadow IT as a wake-up call, too. It shows where your tech is falling short and what your teams really need.

Managing the Shadows

Managing shadow IT isn't easy. It's about finding the sweet spot between security and allowing for new ideas and flexibility.

A few strategies can help:

• Clear rules: Develop clear, easy to understand, policies on what’s acceptable and how to get new tools approved.
• Regular checkups: Utilize asset discovery tools to find those hidden apps and devices, and do regular IT audits to see what's really going on.
• Openness is key: Encourage honesty and talk about the risks. Make sure everyone knows why data security matters.
• Tech solutions: Tools like CSPM and IAM can help secure those rogue apps and devices.

Turning Shadows into Assets

Organizations may regard shadow IT as an opportunity to learn and grow, rather than a threat.

• Listen and learn: Figure out why your employees are using unauthorized tools. This shows you where your tech is lacking and helps you tailor your services to their needs.
• Create a sandbox: Set up spaces where new tech can be safely tried out and assessed. Maybe it could even be integrated into your official setup later.
• Collaborate, don't dictate: Encourage IT and other departments to work together on finding tech solutions. Low-code/no-code platforms can be a great way to quickly build what you need.

The Rise of Shadow AI: A New Frontier

AI is evolving at fast pace, and generative AI tools are becoming increasingly available. This has given rise to a new concern: shadow AI. Think of it as shadow IT's AI counterpart, the unauthorized use of AI tools within organizations. Employees are drawn to these tools, especially generative AI, in the expectation of enhancing productivity and efficiency, but this often results in premature adoption without a thorough knowledge of the possible risks.

Shadow AI: A Heightened Risk

Shadow AI brings a whole new set of worries, beyond the ones we already have with shadow IT:

• Everyone's an expert: Anyone can use these tools, which means more chances for things to go wrong.
• Loose lips sink ships: People might accidentally spill company secrets when chatting with these AI programs.
• Your data's not yours: Some AI tools hang onto everything you type, which is a problem if it's confidential information.
• Don't believe everything you read: AI-generated stuff can be full of errors, leading to bad business decisions that cost you money or your good name.
• Legal trouble: Using AI without permission could mean breaking data privacy laws or company rules.

Managing Shadow AI

Many strategies for managing shadow IT can be used to address shadow AI:

• Set clear rules: Make company policies on AI access and use crystal clear, and make sure everyone knows them.
• Train, train, train: Teach employees how to use AI responsibly and make it an ongoing thing.
• Offer safe options: Develop and adopt secure, approved enterprise AI platforms.
• Keep an eye on things: Invest in tools that track AI use, spot anomalies, and make sure the rules are being followed.
• Open the lines of communication: Get IT and other departments talking so everyone's needs are understood and safe AI alternatives can be found.
• Stay adaptable: Keep an eye on how AI is changing and adjust your strategies as needed.

?

Real-Life Stats and Examples

The risks we've been discussing around shadow IT and shadow AI aren't theoretical. They're happening right now.

This reference includes some eye-opening stats that might surprise you. Let's take a closer look at a few of them.

• Three times as many SaaS applications were running on corporate networks as the IT departments were aware of.
• 41% of employees are acquiring, modifying, or creating technology that IT isn’t aware of, and this number is expected to increase to 75% by 2027.
• The average data breach costs a company $4.45M. This represents a 15% increase over the past three years.
• 37% of companies don’t have clear consequences for shadow IT.
• 30% of work files are shared with personal accounts.
• 35% of employees forward work email to personal accounts.
• 70% of employees who are using ChatGPT at work are hiding that from their employers.
• 11% of the data that employees enter into ChatGPT is confidential.

According to recent surveys, 56% of US workers are using generative AI tools at work, but only 10% of organizations have a formal generative AI policy in place. I think there won't be much of a difference in the numbers elsewhere.

A 2023 study revealed a startling statistic: over 85% of companies experienced cyber incidents in the two years prior, with a significant 11% of these incidents attributed to shadow IT! According to the study, employees who use applications, devices, or cloud services not approved by their IT departments, believe that if those IT products and services came from “trusted” providers, they should be protected and safe. However, providers' terms state that users are responsible for incidents related to the software.

Real-life examples of companies that have suffered due to shadow IT include the following.

• A 2017 data breach at Accenture exposed millions of records when employees stored data in an unsecured cloud platform without permission.
• In 2018, a major financial institution was fined $1 billion for non-compliance with data protection regulations; employees were using unauthorized cloud services to store customer data.
• A large technology company sued a former employee for using shadow IT to steal trade secrets by installing unauthorized software on his work computer.

Conclusion

Shadow IT and the growing concern of shadow AI are real risks for organizations, including data breaches, broken rules, and bad decisions. But these unofficial tools can also bring about real improvements and fresh ideas. Organizations need to be proactive, stay alert, and adapt in a constant balancing act.

That's what I think. What do you think?

#cybersecurity #data #dataprivacy #datasecurity #infosec #itmanagement #digitaltransformation #riskmanagement #innovation #cloudcomputing #generativeai #genai #ai #artificialintelligence #IT #informationtechnology #technology #chatgpt #gpt