- Network
- A
Why employees install software without IT department's knowledge and why it’s dangerous
Hi, tekkix. My name is Danila Trusov, I am the product director of "Inferit ITMen" — an IT infrastructure management and control system. In this article, I want to discuss one of the most persistent and yet underappreciated problems in corporate IT — unauthorized software installation, Shadow IT.
According to our observations, in a significant portion of organizations, employees independently install work software without undergoing centralized approval. And this concerns not only specialized tools but also quite common things: office applications, file exchange utilities, remote access, analytics, and collaboration tools.
It is important to understand: in most cases, there is no malicious intent. The reasons almost always lie in the way processes are structured. Business develops faster than IT regulations, and people need to solve problems here and now. Meanwhile, getting approval for new software can take days or weeks. Another factor is working with contractors who install tools familiar to them in the client’s infrastructure.
Another common scenario is the transfer of equipment between departments. The device changes owners, but the previously installed software is left without review. As a result, an unaccounted-for and unauthorized layer of software gradually accumulates in the infrastructure.
The essence of the problem
The danger of Shadow IT goes far beyond mere formal non-compliance with regulations. In practice, the risks span three areas: information security, compliance with legal requirements, and infrastructure manageability.
From the perspective of information security, unauthorized installations create direct channels for the penetration of malicious code. Free and conditionally free applications from open sources often contain trojans, spyware modules, or vulnerabilities that are not closed by corporate protection tools. Such programs often bypass update policies, do not receive patches, and remain outside the view of the security service.
A separate threat is saved access credentials. Applications may store credentials, access tokens to corporate services, and cloud storage. If a device is no longer serviced or falls out of the control of the IT service, the risk of data leakage and unauthorized access increases exponentially.
The second group of risks is related to compliance with legislation and licensing requirements. Using unlicensed software or exceeding the number of installations may lead to claims from copyright holders. At the same time, the argument "we didn’t know it was installed" does not exempt the company from liability. In the case of audits, the business has to urgently purchase licenses, pay fines, and eliminate violations.
For many industries, compliance with information and personal data protection requirements is critical. Unaccounted software complicates meeting legislative and industry standards because the company cannot accurately confirm which systems process data and what protective measures are applied.
The third problem is the loss of infrastructure manageability. When the IT service does not have a complete and up-to-date picture of installed software and devices, it becomes impossible to effectively manage updates, access, and costs. In such conditions, incidents are discovered after the fact, and actions to correct the situation begin only after the problem has occurred.
Why bans don't work
In practice, attempts to solve the problem exclusively with bans rarely yield sustainable results. Even the strictest regulations do not work if the company lacks tools that allow visibility into the actual state of the infrastructure: what software is installed, where it is used, and who is responsible for it.
Shadow IT does not arise because of bad employees. It is a symptom that the infrastructure is developing faster than control mechanisms.
How to Start Reducing Risks
Risk reduction related to shadow IT begins not with strengthening the perimeter or new prohibitions, but with basic accounting. As long as a company cannot answer the simple question of what is actually installed and used in its IT landscape, any security and compliance measures remain fragmented.
This is why inventory of IT assets and software becomes the foundation for control. It allows identifying unauthorized installations, reducing vulnerabilities, ensuring software usage complies with licenses, and restoring manageability of the infrastructure before risks manifest as leaks, fines, or downtime.
Write comment