Why Shadow IT is one of your company's biggest threats
In today’s Internet of Everything world, we’re more connected than ever before—which means more opportunity for security threats and data breaches. To raise awareness about the importance of security, we’ll be celebrating National Cyber Security Awareness Month (NCSAM) by sharing security-focused content all month. Each Monday in October, we’ll share a new security blog post from our experts. Enjoy!
Join the conversation on Twitter with #NCSAM and #CyberAware.
Who knows what evil lurks in the heart of your organization? The Shadow IT knows.
This is a bit of a pun based on an old radio program called The Shadow (it was made into a rather forgettable movie starring Alec Baldwin in the 90s). But the pun captures a troubling truth. Your organization is facing a growing security threat—Shadow IT.
We’re now at the point, at least in the western world, where the majority of working age people have spent the last 20 or 30 years using technology. Almost everyone is comfortable with ideas like installing software, connecting to networks and some fundamental of the cloud. They know how computers work and how to buy and install software.
Couple this reality with the fact that enterprise software has been consumerized—it is now very easy for anyone in your organization to spin up a server, setup project management software online, or install software on their laptops. Just a few years ago, this would require going through a procurement process and getting approval from the IT team, who would then spec out a device/software and set it up.
That same procurement process that once provided for the entire organization has now become the very reason so many teams turn to unapproved solutions—requests for software or resources are often denied, and when requests are approved, installation is often too slow to meet the requester’s timelines.
What is Shadow IT and how does it happen?
Armed with a corporate credit card and an internet connection, employees are finding their own solutions. They bring their own devices into the enterprise. The software they want runs in the cloud. There’s nothing to install. It’s likely that employees in your company are using dozens of solutions like Basecamp, DropBox or Office 365 that may or may not be properly licensed or maintained, or may duplicate other solutions you offer as an IT department. And who can blame them? Many IT teams are isolating themselves by making things more difficult for users and are seen as a roadblock to getting things done. And when this happens, people will turn to Shadow IT to meet their needs.
What are the concerns of Shadow IT?
Individuals see Shadow IT as a good solution for their problems. But the proliferation of unapproved tech solutions in your organization increases your technical footprint and can create some big headaches. The first becomes obvious when IT is asked to solve problems caused by incompatible applications. How can you anticipate these issues when you don’t even know which tech solutions your organization is using?
This is one place where IT can help the entire organization. But they have to get in front of the trend and understand who is using what. There are tools from companies, such as Microsoft, Okta and One Login, that can configure new users in services like SalesForce, Office 365 and other SaaS solutions--all through a single account, which allows IT to maintain and manage all of those licenses from a centralized location while giving users a smooth experience to get the tools they want and need. By focusing on adding value to the users and not just increasing control you’re more likely to get user adoption of tools and guidelines. Training evangelists throughout the ranks will also help.
An even bigger concern with Shadow IT is security. Without controls on which services are used, who uses them and what limits are placed on customer data, Shadow IT can be a security disaster waiting to happen. What happens if a motivated salesperson downloads customer data from a SaaS app to his personal mobile device so he can make calls on his way to work every morning—then the phone is lost or stolen? Will anyone know? Can your organization afford that liability? Do these rogue devices and applications break your compliances?
And it’s not just phones or computers. Employees who bring IoT devices into work and add them to the network may open your systems to significant security risks. Does your IT team watch all of your network traffic and know where it’s coming from? Is it properly confined? Do you implement good network segmentation that splits out any device with secure data and reduce your security risk? Are things getting patched properly?
In reality, it may be impossible to put the genie back in the bottle and put an end to Shadow IT for good. But there are a few things your technology team can do to stay on top of the problem.
How to prevent Shadow IT
First, think of other company employees as your customers, because in a very real sense they are. IT is there to support and enable them. How can you deliver a “product experience” that is best in class? When IT forgets this critical support function, Shadow IT springs up.
Next, you need to be sitting down with the various departments in your organization to talk about their technology needs. Which solutions do they need that IT doesn’t currently provide? What software are they using now? Which web applications? Which cloud services do they use to support their work? And what value are they getting from each one?
*Extra credit for those who are sitting down with different departments and teams to get a better understanding of their goals and problems and identifying technologies that can help them address those needs they don’t even know about.
As you speak with each department, you may find out that 20% of them are using this application or 50% are using that one. Help get these “internal customers” access to these solutions through proper channels, identify better solutions that provide more features or value than they currently get, or negotiate better pricing for the services they use, based on the total number of licenses the organization needs. At the very least, you’ll be able to identify potential problems simply by knowing who is using what.
If Shadow IT has become a problem in your organization (and it almost certainly has), my recommendation would be to think about your internal customer’s user experience as if you were a product manager. Educate users on the risks that their actions can have. Then provide or build tools that give your company the ability to see and share the applications they’re using. Find out why they’re using the tools they have and educate yourself on the needs of the other teams in your organization. Then meet them.
Shadow IT is going to happen. So the more you can get your arms around it and support it, the sooner you’ll be able to mitigate the risks and bring it out of the shadows for good.
Learn more about how you can educate your IT team with our guide.