UK NCSC publishes guidance on shadow IT

Published Date
Aug 9, 2023
The UK National Cyber Security Centre (NCSC) published its guidance on shadow IT on 27 July 2023.  

‘Shadow IT’ are unknown assets that are used within an organisation for business purposes (including in certain cloud technologies) but are not accounted for by asset management or aligned with corporate IT processes or policies. The guidance helps to better identify and mitigate the presence of the unknown (and therefore unmanaged) IT assets within their organisation. 

The NCSC discusses the types of shadow IT (unmanaged devices and services) and how they may manifest in an organisation, making risk management more difficult. The NCSC flags the potential threats posed by shadow IT, such as data theft, exfiltration of sensitive data, or spread of malware given the lack of visibility and control that the companies have over the processing of data by these IT assets. 

The guidance discusses organisational and technical measures that organisations can implement in order to mitigate against the risks of shadow IT, including:

  • implementing an effective process for addressing users’ requests so that there is less risk of them implementing their own solutions which may introduce shadow IT;
  • developing a healthy cybersecurity culture so that staff can communicate openly about policy or processes which may prevent them from working effectively;
  • anticipating users’ needs rather than restricting use of certain IT; and
  • implementing technical mitigations such X.509 certification, network scanners, cloud access security brokers (CASBs), secure access secured edge (SASE), and unified endpoint management (UEM).

The NCSC lists further resources available for organisations in addressing other common technology challenges, including guidance on:

  • choosing an enterprise instant messaging solution here;
  • choosing a video conferencing service that meets your business needs here;
  • how to deploy and use a cloud service securely here;
  • how to make sure your organisation is prepared for an increase in homeworking here

The guidance on shadow IT is available here.

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger