Have you ever used Dropbox to share large official documents? If yes, then you have gone through the practicality of ‘Shadow IT’.
A survey by Stratecast and Frost & Sullivan highlights that 80% of employees say they use applications on the job that aren’t approved by IT. Generally, such shadow solutions are adopted by an employee or a team in order to enhance their productivity. For instance, an employee can use a different file-sharing solution than the one officially permitted by the IT team, simply due to the ease of use. However, IT departments are usually unaware of the use of such applications by an employee or the entire team. The result is shadow IT.
Also Read: 10 Cybersecurity resolutions that every organization needs to make for a safer 2022
What Is Shadow IT?
If your mind went immediately to a negative connotation, you’re not the only one. Several people think of shadow IT as a type of technology used by hackers to attack a system or network. While shadow IT doesn’t refer to hacking, it is not exactly innocent, either.
Gartner describes shadow IT as IT devices, software, and services outside the ownership or control of organizations’ IT team. Simply put, shadow IT refers to the unsanctioned use of software, hardware, or other systems and services within an organization, often without the knowledge of that organization’s IT department. And this is what makes shadow IT risky.
Why Users Turn to Shadow IT?
One of the biggest reasons why employees engage in shadow IT is simply to work more efficiently. Most employees who adopt such unsanctioned solutions do so with good intentions. They do not wish to undermine security, but to do their job more effectively. For many employees, IT approval is a bottleneck to productivity, especially when they can get their own solution up and running in just minutes. Popular shadow IT examples include,
- Productivity apps: Trello, Asana
- Messaging/video conferencing apps: Zoom, Microsoft Teams
- Physical devices: Smartphones, Tablets
- Cloud storage: Google Drive, OneDrive
What Are the Risks of Shadow IT?
Shadow IT introduces shadow risks. While employees are able to conveniently complete their tasks using shadow IT systems, such practice introduces unprecedented risks to the organization such as:
- Loss of sensitive data: Shadow IT increases the likelihood that your data will end up outside the control of your IT team. For instance, if an employee is using personal device to store official data and the device is stolen then your organization’s data is compromised.
- Non-compliance: Using Shadow IT systems can cause compliance issues, especially if your organization is dealing with sensitive/personal details of your customers.
- Increased IT costs: The inability to view or control systems means that organizations are seeing their IT costs increase significantly.
- User access breach: Suppose an employee uses his/her business email to login to your enterprise resource planning (ERP) solution. If the employee uses same business email to login to an unauthorized messaging application, then he/she might be using the same password for both. Any vulnerabilities in the messaging app can help the cyber threat actors to gain access to the organization’s ERP software. Such user access breach can lead to data breach.
- Lack of visibility: Unknown devices and software used by employees lead to lack of visibility for the IT team. This increases the risk of cyber-attacks significantly as it is difficult to mitigate risks in the absence of visibility.
How to Control Shadow IT?
- Provide employees the tools they need: Employees turn to different software in order to make their job easier and quicker. Identifying their needs and providing them with apt solutions can prevent them from turning to other options.
- Shadow IT detection: Using a shadow IT discovery tool can help IT teams discover and track all the solutions and tools that the employees are currently using. Then, IT teams can allow, restrict, or block the usage of such tools based on the need and the risk involved.
- Educate employees to be cyber aware: Employees may be unaware of the security risks related to shadow IT. Training them on best practices such as disclosing the use of any unsanctioned software can help to prevent the likelihood of data compromise.
- Establish strict policies that help to anticipate and manage the shadow IT. For instance- a well defined BYOD (Bring Your Own Device) policy can help to mitigate the risks arising out of use of personal devices. There also needs to be a comprehensive policy on shadow IT that establishes protocols for the adoption of new hardware/software within an organization.
- Conduct periodic audits: As part of a compliance process, organizations should conduct periodic audits to ensure that the policies such as BYOD, Shadow IT policy etc. are being adhered to.
Wrapping up
Despite its risks, shadow IT has its benefits. Getting approval from IT can be a cumbersome process at times. Being the ‘Big Brother’ isn’t always conducive to productivity. Organizations need to find a middle ground. For instance, allow the employees to find the applications that work best for them while allowing IT to control data and user permissions for such applications. This approach can take care of user experience as well as the security aspect to a great extent.
