UK – NCSC publishes guidance on shadow IT

Jane Finlayson-Brown
Allen & Overy LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Allen & Overy LLP

The UK National Cyber Security Centre (NCSC) published its guidance on shadow IT on 27 July 2023.

‘Shadow IT’ are unknown assets that are used within an organisation for business purposes (including in certain cloud technologies) but are not accounted for by asset management or aligned with corporate IT processes or policies. The guidance helps to better identify and mitigate the presence of the unknown (and therefore unmanaged) IT assets within their organisation.

The NCSC discusses the types of shadow IT (unmanaged devices and services) and how they may manifest in an organisation, making risk management more difficult. The NCSC flags the potential threats posed by shadow IT, such as data theft, exfiltration of sensitive data, or spread of malware given the lack of visibility and control that the companies have over the processing of data by these IT assets.

The guidance discusses organisational and technical measures that organisations can implement in order to mitigate against the risks of shadow IT, including:

  • implementing an effective process for addressing users’ requests so that there is less risk of them implementing their own solutions which may introduce shadow IT;
  • developing a healthy cybersecurity culture so that staff can communicate openly about policy or processes which may prevent them from working effectively;
  • anticipating users’ needs rather than restricting use of certain IT; and
  • implementing technical mitigations such X.509 certification, network scanners, cloud access security brokers (CASBs), secure access secured edge (SASE), and unified endpoint management (UEM).

The NCSC lists further resources available for organisations in addressing other common technology challenges, including guidance on:

  • choosing an enterprise instant messaging solution here;
  • choosing a video conferencing service that meets your business needs here;
  • how to deploy and use a cloud service securely here;
  • how to make sure your organisation is prepared for an increase in homeworking here

The guidance on shadow IT is available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Allen & Overy LLP | Attorney Advertising

Written by:

Allen & Overy LLP
Allen & Overy LLP
Contact
more
less

Allen & Overy LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide