What is shadow IT? Shadow IT refers to software, services and devices put into use by users in your organization without the oversight of your IT team. In most cases, people are only trying to work more efficiently and enhance their job output and performance. However, any software, service or device with access to company data creates a vulnerability because they are blind spots for the IT team.
Think of your office space and physical security. You might have cameras, automatic lights, locks on doors, maybe even an access system. However, on a particularly beautiful day, someone decides to open a window a bit for some fresh air, then forgets to close it before leaving the office. That window could be used as an entry point for someone with ill intent or even a curious squirrel that then scatters and damages files on a desk. The harmful entity doesn’t need to have ill intent, only the means to wreak havoc. There is a reason your IT team works hard to ensure systems and software are updated and patched. It is because even the best code can have flaws which either introduce threats or create holes for threats to take advantage of – just like that cracked window.
When users or departments introduce shadow IT, it is not to say they are careless or malevolent, they’re just trying to get work done. Maybe they decide to add their corporate email account to a personal phone, or login to your hosted applications from home computers to do a little extra work after hours. They might find a handy piece of software that helps them edit photo or video files. Maybe they upload a file to a personal Google or OneDrive folder to work on outside the office. Lots of people are test driving various AI tools to automate everything from email to meeting summaries. Some of these tools may very well be justified in their use – with the oversight of your IT team. Users are more concerned with getting tasks completed than being sure their tools are kept current. In an unmanaged situation, it’s not uncommon for software to be installed on a system, used for a brief time and then forgotten. It’s just sitting there with potential risks never to be patched. In the case of data put into cloud storage which is not managed by your IT team it faces risks from compromise of the platform, weak credentials on the part of users, and potential lack of multi-factor authentication to access the account. Additionally, not all services guarantee any kind of privacy of data input to the tool. This is the case with free AI tools. Only paid tools from trusted vendors offer any privacy and protection of your private data entered into them. (Read the terms) What happens to your data when the person that put it there forgets and moves on? It definitely happens and recovery or deletion of the data is near impossible – especially if you don’t know it’s there.
Think your organization isn’t at risk? Here are some stats from a survey in 2020. Even though it’s a few years old, numbers in these categories remain alarmingly high:
Find more statistics at StatistaSo, how do you get a handle on shadow IT in your organization? Here are some steps you can take.
Consistent Training
Make your entire organization, C Suite included, aware of the risks of shadow IT. A good security awareness training package can assist in helping users to understand and provides regular reminders – because we’re all forgetful about the things we don’t have in front of us on a consistent basis.
Establish Policies
Develop security policies addressing these issues and incorporate them into your employee handbook. Address such things as use of personal devices, adoption of new software and accounts; exfiltration of data; and acceptable networks for devices. It’s best to keep a list of tools allowed for individual users so that as roles change, these can be updated as needed. You don’t need to create these from scratch. Our security training platform incorporates easily adapted templates.
Discovery
Gather information from users about the use of personal tools for business purposes. Assure them that innocent use will not be punished and that you are simply trying to ensure complete control over company data to avoid compromising customer and employee sensitive information. By engaging them, they have an investment in corporate data protection.
When shadow IT is discovered, probe as to whether it is still in use. If not, extract any data that can be and close that hole. If it’s still in use, find out what problem the tool solves. Does it make sense to keep it or look for a better solution?
For most tools your team may put into use, there are business-oriented versions which can be centrally managed by your IT team and managers. Good tools are encrypted and have permissions-based access so that when people change roles, the data can be retained and new permissions assigned. Additionally, team-centered applications help everyone work more productively. Check terms before signing up to be sure your data will be private and protected.
Audit Systems
Audit corporate devices for unknown software. Again, determine if it’s still in use and why. Make changes that make sense. Keep lists of licensed solutions and who’s using them. Not only will it help you to keep track of your data, but you’ll have a handle on licensing fees as well. Many small companies buy software, services and devices that ends up not fulfilling the desired objective and that adds up. Tracking builds in some due-diligence practices of research before making a commitment which can save up-front time and expenses.
Communicate
Encourage open communication and involve IT when looking for solutions. Your IT team may not know of every tool out there, but they can certainly look at those your users find to ensure they meet your security and compliance concerns, as well as be sure they stay patched against vulnerabilities.
