Shadow IT are the things that employees download onto a business system that management and / or the IT department doesn’t know about, and it can be a big problem.
Many businesses have an IT policy retricting what employees can download and / or install ontheir work computers. But sometimes they may want to work with an app they already know and love. So with their best intentions, they download and install a program without telling anyone. They don’t see any harm in adding that convenient app to their computer. Or they don’t think it’s a big deal to use their own device to complete their work (even if unsanctioned). Maybe they want to be efficient, so they use a personal email account to conduct your business.
All these are examples of Shadow IT, and it is running rampant in businesses across the world. In Frost & Sullivan research, 80% of employees admitted they had used non-approved software. Even 83% of IT workers were using non-vetted applications. So, what is the big deal?
The Problems With Shadow IT
First, if your business is in a regulated industry, Shadow IT could put you at risk of noncompliance. That unsanctioned device may not be encrypted. Sharing business data over a personal email would be a big no-no in a healthcare or banking space. Shadow IT certainly undermines audit accountability.
It can also drive up IT costs. An employee or department may not know that the business has already paid to use certain software. So, they pay for it again out of their own budget. Alternatively they install a pirated copy of the program onto their system, this opens up a whole lot of other security and legal issues.
If IT is unaware of the Shadow applications or devices, they can’t manage the vulnerabilities. Management also does not know that customer data or personal identification information about employees may be at risk.
An application can also increase the threat of a data breach or ransomware attack. Employees downloading a third-party app could inadvertently give a hacker access to the business network.
Additionally, the business risks losing productivity. The work someone does on a shadow app, for example, may be lost to the company if that employee moves on. IT don’t have access to that account and if to retrieve the information or files. They may not even know it is out there with data in an unknown app or device.
Shine a Light on Shadow IT
Because this IT lingers in the shadows, it can be challenging to coral. Still, there are several steps you can take.
1) Educate employees about cyber policies.
Create and communicate to your staff your acceptable use guidelines and make sure your workers know what your policies are regarding:
-
- use of personal devices (e.g. mobile phones, tablets, laptops, USB flash drives, portable data storage devices).
- sharing data via personal email accounts or using messaging apps.
- online document sharing.
- online voice or meeting technology.
- SaaS (Software as a Service) downloads.
Also establish clear information classifications to distinguish between public, private and confidential data. This will help employees recognise they are putting important data at risk when they disregard your usage policies.
2) Do a dive to discover Shadow IT.
Management and IT needs to find out what technology is in use at the business (both internally and externally). This is more challenging now with people working from home due to COVID-19. If a full audit is probibitive a survey of employees and their devices can help gather information about unknowns and where to check further.
3) Determine the value of any Shadow IT discovered.
Don’t overreact if unknown things are found. You do not want to necessarily ban all Shadow IT that you discover. Some of the services may be beneficial to your business. Review the applications or devices found, check for potential security issues and evaluate their benefits to your business.If there are concerns then look at banning the device or service or if it is beneficial look at rolling it out site wide or to employees who may benefit.
4) Deliver the IT your people need.
Find out why people are circumventing your IT policies? Are they:
-
- are under pressure?
- trying to solve an issue that their current resources can’t solve?
- more comfortable with a familiar app or device?
It is important to understand what the employee is aiming to accomplish or why they have turned to shadow IT. This can help you identify IT needs and areas where you need to improve.
If you need help with your businesses Shadow IT then contact us to help you out.
Pingback: What Cybersecurity Issues Are Hiding In Your Business? | DP Computing's Blog