What is Shadow IT and why should you care?
If you’re an IT manager, you’ve probably heard the term Shadow IT before. Shadow IT refers to technology that your company doesn’t officially use, but that employees are using anyway because they believe it will benefit them more than the company-approved option would. A lot of companies even encourage their employees to use casual technology like personal laptops or smartphones, so long as it doesn’t interfere with work. While this might sound like an okay situation, Shadow IT has its risks and disadvantages.
Why Does Shadow IT Happen
The three primary causes for Shadow IT are: 1) Security 2) Privacy 3) Cost. When it comes to security, I’m not just talking about data security. I’m talking about user security—the feeling that our employers will never know we did anything wrong or skimped on policy when we break down and use a forbidden app in order to get work done. When it comes to privacy, we all want our business to be our business. As one of my friends put it recently, I don’t share my stuff at home with co-workers, so I don’t share my stuff at work with them either. It doesn’t have anything to do with trust; it has everything to do with being private in your life. And finally, cost. Shadow IT can oftentimes be cheaper than company provided products. Apps like Slack, Google Apps, Dropbox Pro, etc. are often much less expensive than licensing their branded alternatives. So users take advantage of these companies because they offer more flexibility without giving up support/service if things go south (which they will).
Types of Shadow IT
The types of Shadow IT vary but include everything from wireless mobile devices to covert mobile apps. There are three main categories:
(1) Bring Your Own Device (BYOD),
(2) Covert Apps and
(3) Out-of-Control Software Licensing.
Each category presents a different risk factor in a company’s environment. For example, a business that allows BYOD has a different security posture than one that has mandated solutions for each device type in its organization. Thus, just because an employee may bring his own phone to work doesn’t mean he can install an app without anyone noticing. Many employees fail to consider just how much information their employers have about them stored on company servers—and how accessible that information may be via remote desktop or VPN connection. If your corporation does not monitor these connections closely, you could very well be allowing malicious actors access to sensitive data with little way of preventing it. So even if someone isn’t taking advantage of existing avenues for bringing malware onto corporate assets, they may do so via Shadow IT. It also means that management must take steps to support users who rely on unofficial applications through regular patch cycles; doing so too often will quickly undermine trust between corporations and users alike. IsShadowIT a Risk to my Organization?: There are many benefits of Shadow IT, including saving time and cost while increasing productivity. However, there is always a tradeoff between convenience and security. So while some implementations may provide great benefits, others pose serious risks which outweigh any added benefits they provide. In some cases, instituting an acceptable use policy may help reduce some risks associated with shadow IT.
Problems With Shadow IT
While cloud-based services are flexible, intuitive, and easy to use, employees often circumvent corporate technology departments by installing personal software. This type of technology is known as shadow IT—and it can be risky for both companies and workers. Here are some reasons why.
How To Manage Shadow IT
Let’s face it, as consumers, we all love new gadgets. Whether it’s a new phone or a shiny tablet PC, we have short attention spans for tech, so when a new shiny object comes along that can help us do our jobs better or be more efficient, it’s hard to say no. For your company, however, these kinds of decisions can be risky.
So how does an organization deal with individuals bringing in their own technology without risking security breaches or any other issues that come with allowing outside devices into your company?
The best solution is to create a policy outlining what employees are allowed to bring in. This way there are clear expectations between IT and users on exactly what they can bring in. If someone brings in something you don’t allow, explain why not without chastising them personally for making choices. And just because it doesn’t fall within that list doesn’t mean they can’t use them in some capacity. You may offer to loan out one of your very same tablets, smartphones or even laptops so long as certain protocols are followed. Creating a policy also helps mitigate potential legal liabilities in case something bad happens. From copyright violations to data theft and physical device damage, you want everyone clearly aware of what behaviour is acceptable and which ones aren’t. With clear rules in place, people will still find ways around them but at least having stated policies in place gives attorneys a clearer landscape when it comes time to figure out if things could have been prevented or what type of damages could occur.
A shadow IT policy serves another purpose as well, that being education. Being able to directly tell employees why they can’t bring in these items builds trust over time. Your company cares about protecting sensitive information and goes to great lengths to make sure nothing gets past them—it shows confidence in how good you are at doing your job. But no matter how thorough your policies are put in place, there will always be attempts at getting around them. New apps constantly pop up offering unique services or cool features that might look good to try out at work. As long as everything is running through your systems though, it’s easy enough to audit activity remotely and keep track of what users are doing on their devices.
Otherwise, know someone who works at a competitor and would like some insider information? That sounds like a huge liability waiting to happen, right? Regardless of whether your employees choose to follow specific guidelines or not, they need to understand that IT has ultimate authority when it comes to infrastructure controls. Instead of looking askance at every little thing someone tries to add though, remind them that while you value their input and ingenuity often times outsiders simply don’t have full knowledge of how complex network structures operate day-to-day. Encourage them to bring their ideas to you. An honest conversation upfront will give you an opportunity to let them know what’s possible, why it won’t work or simply show appreciation for their interest in wanting to improve efficiency. Put yourself in your employees’ shoes. Do you really think they are maliciously trying to hurt your company? Probably not. Most are legitimately excited about using new tools that they’ve had experience with at home or on their phones at night. They’re excited to be given a chance to apply what they’ve learned in real life.
Contact us to get started!