Most employees want to be productive. As cloud service consumers, we have become accustomed to finding a tool or app that will help us fill a need and simply buy it without obtaining approval from our organization first. This practice of employees bypassing IT management to procure tools and services without proper vetting has infiltrated the workplace and is known as Shadow IT.
What is Shadow IT?
Gartner, a leading research and advisory company, defines Shadow IT as "devices, software and services outside the ownership or control of IT organizations.” In other words, IT departments can find themselves in the dark when it comes to some of the technologies being used by employees. Examples of Shadow IT include cloud storage such as Dropbox and Google Drive, personal email accounts being used to conduct business, unsanctioned Bring-Your-Own-Devices (BYOD) or, as mentioned above, third-party Software-as-a-Service (Saas) applications.
For the most part, employees use Shadow IT with good intentions and may not fully realize the rigor that goes into application and device selection. It's no surprise that over 80% of employees admit to using non-approved Software-as-a-Service apps within their jobs. However, without proper approval and vetting of new technologies, it can create risk for the organization.
Why is Shadow IT a potential issue?
If an organization is in a regulated industry, such as healthcare or banking, then there are certain types of information that must be protected. Such information can’t be protected properly if employees are storing it in locations outside of the company's control. Similarly, IT department won't know if customers are at risk if they do not know where all the information lives. Gartner estimates that by 2020, a third of successful attacks experienced by enterprises will be on Shadow IT resources. Clearly, that's a risk that needs to be mitigated.
There is also a risk that work productivity will be lost if an employee leaves and fails to provide credentials to their Shadow IT applications. It could be quite an IT department endeavor to figure out what they were working on and where everything is stored.
What can be done about Shadow IT?
As with most questions in IT, the answers will vary. A bank will have a different approach than a publicly-funded research organization, but the initial steps remain the same.
1. Create information classifications for your company.
The company, and ultimately the employees, must clearly understand what is public, private, or confidential. The classifications for a company may vary, but the process of creating them will help determine acceptable usage guidelines. For example, a company may decide that confidential information containing social security numbers is only allowed in a predefined set of applications sanctioned by management, whereas employees may have a little more flexibility to use their preferred cloud services for private information such as meeting notes.
2. Discover existing Shadow IT.
IT departments need to know and understand how confidential information is contained and managed throughout the company. There are a variety of tools that can help with the information gathering process: technical solutions like Microsoft Cloud App Security, or soft solutions such as a Survey are both examples of this.
3. Adopt or prohibit services.
Many of the discovered services will offer professional versions with centralized management. If the services add value, consider vetting and adopting them while also determining which classifications of information are allowed.
4. Educate employees.
Written policies and end-user education are critical. Technology is always evolving, and tomorrow will continue to bring new ways of working. There is no substitute for ensuring employees are aware of clearly-defined policies and guidelines for the acceptable handling of company data.
IT organizations are just now learning to re-evaluate their perspective and are beginning to embrace Shadow IT. When a company embraces it and creates a culture of security awareness, it will decrease the amount of effort being spent playing Whack-A-Mole with Shadow IT. Acceptance will allow the members of organizations to focus on increasing productivity while keeping data security as a top priority. In the end, employees don't use Shadow IT to rebel or frustrate the IT department; they use IT to get their work done more efficiently.
Do you want to keep your Shadow IT reigned in? Learn more about creating policies and procedures around the usage of IT.
Systems Engineering's Jeff Trudel is a Technology Consultant in the Professional Services department. Jeff is currently working with Systems Engineering clients to create and deliver thorough policies and procedures including Information Security Policies, Business Continuity Plans, and Acceptable User Agreements to assist organizations in securing their more precious information assets.