Shadow IT – What is it and how to prevent it
Shadow IT refers to information technology (IT) activities that are managed within a company without the knowledge of the IT department. It’s an umbrella term that covers any technology, application, hardware, or software deployed within an organization without the approval from IT. Shadow IT can be a big security problem for your business and it propagates fast given the increasing number of business and productivity apps available and the ease of installing them.
If you own a business, you might be falling in the 72% of companies that are unaware of applications that are being used by either individual employees or an entire line of a business unit. Possibly, you don’t even know about the existence of shadow IT or its implications . But as the IT experts that we are, we can tell you that it’s a negligent practice that puts your business at big risk.
You may have an IT policy in place for employees not to download unauthorized applications, but they want to work better and boost their productivity, or perhaps they prefer to work with an app they already know and love. So, they get a tool or service that meets their needs without telling IT.
The employee may have good intentions, but they don’t know the risks and they see no harm in adding that convenient app to their computer. Or they simply think it’s not a big deal to use their own device to complete their work. Maybe they want to be more efficient, so they use a personal email account to conduct your business.
Any of these examples are part of Shadow IT, and it's running rampant. In Frost & Sullivan research, 80% of employees admitted they had used non-approved software. Even 83% of IT workers were using non-vetted Software as a Service (SaaS) applications. So, what’s the big deal? We’ll cover that in this article.
If you need more examples, these are some of the most common:
Productivity apps like Trello, Slack, Asana
Communication apps like Skype
Messaging apps on corporate-owned devices like Snapchat or WhatsApp
Physical devices like flash drives or external drives
Cloud storage like Dropbox and Google Drive
Risks and dangers of Shadow IT
So we know that the employees are the weak line of defense, and when they use unsanctioned applications and devices, vulnerabilities are introduced into the infrastructure, and without IT supervision, the root-cause is very difficult to identify.
Compliance Issues
If your business is in a regulated industry, Shadow IT could put you at risk of noncompliance. And fines for non-compliance can be hefty. The unsanctioned device may not be encrypted. Sharing business data over a personal email would be a big no-no in a healthcare or banking space. Shadow IT certainly undermines audit accountability.
Financial Risks
Say accounting doesn’t know that the business has already paid to use certain software. So, they pay for it again out of their own budget. In many cases, shadow IT solutions duplicate the functionality of standard products approved by the IT department. As a result, the company wastes money.
Unpatched Vulnerabilities
If your IT department is unaware of the shadow applications or devices, they can’t keep an eye on updates or manage the vulnerabilities. There is no way for them to know that your customer data, or personal information about employees, is at risk.
Data Breaches
There is greater threat of a data breach or ransomware attack. Employees downloading a third-party app could inadvertently give a hacker access to your network and expose your data. Once your IT team loses control over the software being deployed on the network, they are no longer able to control who has access to your data. Enterprise information is completely unprotected and susceptible to all kinds of breaches whether by former employees, insiders or sophisticated attackers.
Less Productivity
Additionally, the business risks losing productivity. The work someone does on a shadow app, for example, could be lost to the company if that employee moves on. IT wouldn’t have access to that account to retrieve the information or files. They don’t even know it is out there on that unknown app or device.
Solutions to help manage shadow IT
Because this IT lingers in the shadows, it can be challenging to cope with. Still, there are several steps you can take.
1. Create cyber policies and educate your employees.
Create and communicate acceptable guidelines regarding SaaS downloads, use of personal devices, emailing, file sharing and videoconference technologies. And make sure your workers know your policies. Establish clear information classifications distinguishing between public, private, and confidential data. This can help employees recognize they are putting important data at risk when they disregard use policies.
2. Survey your technology and investigate
A survey of employees and their devices can help gather information about unknowns. Your IT department needs to get to know what technology is in use at the business (both on- and off-site). Specially now, when more people are working from home.
3. Determine the value of IT discovered.
If several employees use an unsanctioned app, you may want to invest in it. With a professional version, your IT team can safely manage the apps or the services that could add value to your business.
4. Give your people what they need.
Always try to understand what the employee is aiming to accomplish or why they’ve turned to shadow IT. This can help you identify their needs and the areas where you need to improve.
Shadow IT is unsafe and unpredictable and you can only watch what you know about, but we have the right tools to protect your business.
Contact us at 305 400 0992.