Shadow IT brings up security, integration and operational challenges. Companies have three paths to choose from when it comes to dealing with shadow IT — they can accept it, try to suppress it or ignore it. The latter option may be the path of least resistance, but can put the organization at tremendous risk. Ignoring shadow IT can threaten enterprise systems and data, and a security-conscious enterprise must have a plan for effectively dealing with shadow IT.
Defining Shadow IT
Shadow IT is an umbrella term referring to any technology, be it an application or device (smartphone, tablet, laptops, etc.), deployed within an organization without the approval from the IT department. IT departments are often unaware that applications are being used by either individual employees or entire line of business units.
Most employees who adopt unsanctioned solutions do so with good intentions, not to undermine security, but to more effectively do their job. With the plethora of business and productivity applications available and the ease of installing these applications, shadow IT continues to propagate. Oftentimes, the process of seeking official IT approval for new applications is onerous and long, so employees take matters into their own hands. The cloud and mobile are large contributors to the shadow IT problem.
Common shadow IT examples include:
- Productivity apps (Trello, Slack, Asana )
- Messaging apps on corporate-owned devices (Snapchat, WhatsApp)
- Physical devices (flash drives, external drives)
- Cloud storage (Dropbox, Google Drive)
- Communication apps (Skype, VOIP)
The Risks of Shadow IT
According to Cisco, 80% of end users use software not cleared by IT, 83% of IT staff admit to using unsanctioned software or services, and only 8% of all enterprises actually know the scope of shadow IT within their organization!
Shadow IT, without a doubt, adds risk into your organization, and your employees are your weak link. Michael Bruemmer, vice president of Experian Data Breach Resolution explained, “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.” When non-sanctioned applications and devices are in use, vulnerabilities can be introduced into the infrastructure, and without IT oversight, the root-cause is very difficult to find. Some examples of the risk that shadow IT introduces includes:
- Software Asset Management (SAM): Organizations need to track all software applications used and licensing information. Unauthorized software makes this already difficult task nearly impossible, leading to our next risk.
- Compliance: Unauthorized applications once discovered can mandate a complete audit of the infrastructure to ensure you are compliant. Organizations who do not take this seriously risk hefty fines from non-compliance.
- Testing: IT infrastructures are complex organisms that require management. Introducing new applications without proper testing can compromise the entire infrastructure. Shadow IT also adds more complexity to the entire testing process by having to involve a third party.
- Configuration management: Creating a configuration management database (CMDB) and defining relationships between different systems is labor-intensive. When other employees use shadow IT, those systems are not included and can have compatibility issues as a result.
Managing Shadow IT
Organizations must place a high value on reigning in shadow IT and work closely with lines of business to mitigate their risk. Suggestions include:
- Continuously monitor the network for shadow IT applications and systems.
- Conduct an audit, and ask your employees to come forward about shadow IT, promising that they will not face consequences for using shadow IT applications.
- Create a system for ranking and prioritizing risk. Not all applications outside of IT control are equally threatening.
- Develop a list of devices approved for BYOD use, and make sure employees know that “jailbroken” devices are prohibited.
- Develop an internal app store for all applications that have been evaluated and approved for use within the corporate infrastructure.
- Block applications that are deemed dangerous and require users to seek approval before downloading.
In the long run, CIOs need to develop comprehensive procedures for approving cloud applications that are fast and efficient so that employees will not need to go around the system in a rogue manner. When employees are given a choice on what devices and applications they can use, it improves productivity, drives innovation and increases morale. So, embrace shadow IT in a way that manages risk and keeps your organization safe and compliant. Read more in our Who Owns Cloud Security eBook.