When a US contact-tracing company exposed the details of 70,000 individuals, the term Shadow IT resonated: employees had used Google accounts for sharing data as part of an “unauthorized collaboration channel.”
Do you know what technology your teams are using and what company data is being used on them? If the answer is “no,” the next step should be better understanding Shadow IT.
While not a new phenomenon, Shadow IT is increasingly challenging IT security leaders as businesses shift to the Cloud and more apps are added to the network. Teams regularly rely on file storage apps, task management tools, messaging and email platforms, or even Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) systems everyday. One company with dozens of teams and hundreds of employees across unlimited channels clouds any leader’s chance of clarity in a hurry in this reality.
The main problem, though, with Shadow IT isn’t really the need for new tools, it’s the fact that people use them without IT knowing. This usually happens because they perceive IT policies as restrictive and antagonistic toward their productivity. In this way, Shadow IT is a policy, not a software, issue.
So how can leaders encourage employees to involve IT without reducing their autonomy? Put simply, the solution to Shadow IT relies on people, processes, and technology.
If you are a CEO, CTO, or CISO, or are somehow involved in technology decision making, here’s what you need to know to combat Shadow IT.
First, answer the question: What is Shadow IT? Gartner defines it as any IT devices, software, and/or services used in an organization that are outside the ownership or control of IT teams. In other words, it’s the use of hardware, software, or Cloud services without the approval of the Information Technology (IT) area, often introducing security and compliance concerns.
Shadow IT can encompass enterprise-grade tools or consumer tech. Some common examples of Shadow IT, only when they’re not officially licensed or sanctioned by the IT department, include:
It’s important to note that these applications are not dangerous per se, but only when they’re used as a workaround that’s different from the solutions proposed by IT. Imagine a scenario where a file is too big to send via Gmail (the official email app), so someone decides to use Dropbox instead. That’s Shadow IT.
The use of unsanctioned apps creates a shadow supply chain – a complex web of unknown cloud applications, user accounts, data, and permissions scattered across the internet that are connected to the enterprise network.
When the pandemic accelerated digital transformation, organizations focused on business continuity, often at the expense of cybersecurity. Certain policies were suspended to support the rapid shift to the cloud as staff tried to get things done.
In one study by HP, 76% of IT teams admitted that security lost priority in favor of business continuity during the pandemic, while 91% said they felt pressured to compromise security. As more people started using their personal devices to work from home, downloads of unsanctioned apps increased.
But Shadow IT existed way before the 2020 pandemic. Corporate users have long ago developed a habit of adopting cloud apps and services to assist them in their work, sometimes bypassing IT security policies if they found them to be too restrictive or attempting against productivity.
Shadow IT arises due to several reasons:
Business units often assume the cloud service provider will take care of security, when in fact it’s the organization’s responsibility. But security can’t protect what they can’t see.
Reducing the Shadow IT risk starts with building a company-wide policy that’s not perceived as restrictive but protective of the network. Incorporating new apps isn’t necessarily detrimental to the organization, but they must be addressed appropriately. It’s important that everyone in your organization knows this.
Your Shadow IT policy should include the following sections:
The goal of this policy is twofold: To educate users so they don’t need to turn to Shadow IT; and to be prepared to act if they do.
Shadow IT exists in nearly every organization, so you need to be able to discover, list, and classify Shadow IT assets. Consider the following categories:
This list should be continuously updated as part of routine security reviews. The next step is to decide what to do with each piece of unsanctioned and prohibited Shadow IT. Before making any decisions, try to understand the use case and the reasons why an employee decided to incorporate that technology.
Some useful questions for this discovery process include:
Depending on how necessary the asset turns out to be, the IT team will move it to the Authorized list, replace it with an existing function, or discontinue its use.
In addition to a comprehensive policy, the following tips can help combat the undisclosed use of technology and software within your organization.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|