Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the adoption of cloud-based applications and services. While shadow IT can improve employee productivity and drive innovation, it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and more.
One of the biggest reasons employees engage in shadow IT is simply to work more efficiently. A study reported that 35 percent of employees feel like they need to work around their company’s security policies just to get their job done. For example, an employee may discover a better file-sharing application than the one officially permitted. Once they begin using it, use could spread to other members of their department. The rapid growth of cloud-based consumer applications has also increased the adoption of shadow IT. Long gone are the days of packaged software; common applications like
Slack and Dropbox are available at the click of a button. And shadow IT extends beyond work applications to employees’ personal devices such as smart phones or laptops, aka Bring Your Own Device (BYOD).
Shadow IT Security Risks and Challenges
The bottom line is that if IT isn’t aware of an application, they can’t support it or ensure that it’s secure. Industry analyst firm Gartner predicts that by 2020, one-third of successful attacks experienced by enterprises will be on their shadow IT resources. While it’s clear that shadow IT isn’t going away, organizations can minimize risk by educating end users and taking preventative measures to monitor and
manage unsanctioned applications. Shadow IT isn’t all inherently dangerous, but certain features like file sharing/storage and collaboration (e.g., Google Docs) can result in sensitive data leaks. And this risk extends beyond just applications—the RSA study also reports that 63 percent of employees send work documents to their personal email to work from home, exposing data to networks that can’t be monitored by IT. Beyond security risks, shadow IT can also waste money if different departments are unknowingly purchasing duplicate solutions.
Benefits of Shadow IT
Despite its risks, shadow IT has its benefits. Getting approval from IT can require time employees can’t afford to waste. For many employees, IT approval is a bottleneck to productivity, especially when they can get their own solution up and running in just minutes. Having IT act like an Big Brother isn’t always conducive to productivity and distinguishing between good and bad shadow IT may be the best compromise. Finding a middle ground can allow end users to find the solutions that work best for them while allowing IT to control data and user permissions for the applications. This lessens the IT department’s burden; if end users don’t need to request new solutions, that frees up IT’s time to focus on
more business-critical tasks.
Shadow IT Examples
Applications: Dropbox, Google Docs, Slack, Skype, Excel Macros
Hardware: Personal laptops, tablets, and smartphones
Strategies to manage Shadow IT
All organizations deal with shadow IT in a way that best suits their structure and company culture. Shadow IT policies can range from loose guidelines to extreme lockdown.
Tighten security: Some companies completely shut down access to particular applications through the corporate firewall or software audits. There are several applications on the market that can help IT departments expose and stop shadow IT. These tools monitor the use of cloud services across an enterprise, providing IT departments with the name of cloud services that employees are using and reporting on potential security risks. Some tools can even suppress shadow IT. IT can leverage software to tighten security and give the company some piece of mind. On the other hand, cracking down on employees can drive them to find apps that are not caught by detection tools, further endangering the company.
Practice leniency: When users choose the applications they want, they are more invested in IT and in their jobs. Using tools they are familiar with makes them more productive, efficient, and happy at work. A lenient shadow IT policy also lets the IT department concentrate on other tasks. None of which addresses the potential security risks of shadow IT use. A company with a relaxed stance on shadow IT may bolster security in other ways—with better data encryption and more limited access to sensitive data, for example. These companies may also publish policies and guidelines to help employees use their tools securely. Employees may download and use their own software, for example, but they must not use them to share or store customer data, use the same company password, etc.
Consider Compromise: Create a simple submission process for employees. Employees can either request a specific functionality or answer security questions and make a case for a tool they have been using. This process gives employees a voice and helps IT make a quicker decision about the viability of a tool. Publish a list of IT-vetted tools each year. Employees still have a choice as to which software they want to use, but will be confined to tools that already meet IT’s security criteria.
Create a Shadow IT policy : Creating a shadow IT policy enables businesses to run more efficiently, mitigate risk, and lower costs. There are three key steps to forming a shadow IT policy i.e Agree on a level of risk, Establish an IT procurement process, Educate users.