There’s a big problem in your business hiding in plain sight: Shadow IT. Have you ever used Dropbox or Google Drive to quickly share work documents? Maybe you’ve sent work files to your personal email to catch up on work at home. If your IT department hasn’t approved these applications, then you’ve used Shadow IT–it’s that simple.
What is Shadow IT?
Shadow IT is the use of any hardware or software without the knowledge or approval of an organization’s IT department. An employee may not see the harm in adding a convenient app to their computer, or they don’t think it’s a risk to use their own (unapproved) device to complete their work. In fact, according to CompTIA, 80% of workers admit to using software-as-a-service (SaaS) applications without getting approval from IT.
Shadow IT is clearly not as sinister as it sounds. It’s usually just the result of people looking for better ways to do their jobs. Unfortunately, this type of technology can be a huge source of problems if left unchecked. So, why should you care?
The Pitfalls of Shadow IT
- Cost: shadow IT can easily drive up IT costs as different departments unknowingly purchase duplicate solutions.
- Security vulnerabilities: if your IT department is unaware of any shadow applications or devices, it can’t manage the potential security vulnerabilities. Are users performing the necessary software updates? Do they even know how to? You can’t protect what you don’t know.
- Cyberattacks: with shadow IT, there is a greater threat of a data breach or ransomware attack. Employees downloading a third-party app could inadvertently give a hacker access to your network.
- Data loss: the work someone does on a shadow app, for example, could be lost to the company if that employee moves on. IT wouldn’t have access to that account to retrieve the information or files. They likely don’t even know it is out there on that unknown app or device!
- Non-compliance: if your business is in a regulated industry, shadow IT could put you at risk of non-compliance. For example, sharing business data over a personal email would be a big no-no in the healthcare or banking industry. What’s more, shadow IT certainly undermines audit accountability
Shine a Light on Shadow IT
Because this type of IT lingers in the shadows, it can be challenging to identify. Still, there are several steps you can take to reduce the risks associated with shadow IT.
1. Educate employees about cyber policies
Create and communicate acceptable use guidelines, and make sure your staff knows what your policies are regarding:
- SaaS downloads
- Use of personal devices (e.g. mobile phones, laptops, USB flash drives, portable data storage devices)
- Emailing from personal accounts and using messaging apps
- Online document sharing
- Online voice or meeting technology
Establish clear information classifications distinguishing between public, private, and confidential data. This can help employees recognize when they are putting important data at risk by disregarding use policies.
2. Discover the Shadow IT in your organization
Your IT team needs to know what technology is in use at your organization (both onsite and offsite). Though the increase in remote work has made this a more challenging undertaking, it’s critical that you take the time to find this hidden technology.
Start by asking your staff about the software and devices they regularly use for work. It’s likely you’ll uncover your employees are using many unauthorized tools because they’re simply unaware of the risks of shadow IT.
You should also consider using technology to identify any unauthorized software or devices that are accessing your network. We recommend talking to your IT provider about performing a network scan to identify any unknown devices and software on your network.
3. Determine the value of shadow IT
You don’t want to necessarily ban all shadow IT that you discover. Some of these tools could have real value. Vet the applications or devices found or reported. Review their connection to confidential data or essential network systems. If several employees use an unsanctioned app, you may want to invest in it. With a professional version, your IT team can safely manage the app.
4. Deliver the IT your team needs
Why are people circumventing your IT policies? Are they are looking to meet an unmet need? Are they more comfortable with a familiar app or device? It’s important to understand what the employee is aiming to accomplish or why they’ve turned to shadow IT. This can help you identify IT needs and areas where you need to improve. Shadow IT is virtually unavoidable, but with proper security policies and open communication it can become a source of innovation within your company.
Understanding shadow IT allows you to minimize security risks while giving your team access access to the tools they need to boost their productivity. If you’re not sure where to start, consider scheduling a network assessment to get a complete inventory of the devices and software on your network.