You may have an IT policy telling employees not to download unsanctioned applications, but they want to boost their productivity, or perhaps they prefer to work with an app they already know and love. So, they get a tool or service that meets their needs without telling IT.
The employee may have the best of intentions. They want to work better for your business. They don’t see the harm in adding that convenient app to their computer. Or they don’t think it’s a big deal to use their own device to complete their work (even if unsanctioned). Maybe they want to be efficient, so they use a personal email account to conduct your business.
Any of these examples are part of Shadow IT, and it's running rampant. In Frost & Sullivan research, 80% of employees admitted they had used non-approved software. Even 83% of IT workers were using non-vetted Software as a Service (SaaS) applications. So, what’s the big deal? We’ll cover that next.
The Potential Pitfalls with Shadow IT
First, if your business is in a regulated industry, Shadow IT could put you at risk of noncompliance. That unsanctioned device may not be encrypted. Sharing business data over a personal email would be a big no-no in a healthcare or banking space. Shadow IT certainly undermines audit accountability.
It can also drive up IT costs. Say accounting doesn’t know that the business has already paid to use certain software. So, they pay for it again out of their own budget.
If IT is unaware of the Shadow applications or devices, they can’t manage the vulnerabilities. The business doesn’t know customer data or personal identification information about employees is at risk.
And there is greater threat of a data breach or ransomware attack. Employees downloading a third-party app could inadvertently give a hacker access to your network.
Additionally, the business risks losing productivity. The work someone does on a shadow app, for example, could be lost to the company if that employee moves on. IT wouldn’t have access to that account to retrieve the information or files. They don’t even know it is out there on that unknown app or device.
Shine a Light on Shadow IT
Because this IT lingers in the shadows, it can be challenging to coral. Still, there are several steps you can take.
Educate employees about cyber policies.
Create and communicate acceptable use guidelines, and make sure your workers know what your policies are regarding:
- SaaS downloads;
- use of personal devices (e.g. mobile phones, laptops, USB flash drives, portable data storage devices);
- emailing from personal accounts or using messaging apps;
- online document sharing;
- online voice or meeting technology.
Establish clear information classifications distinguishing between public, private, and confidential data. This can help employees recognize they are putting important data at risk when they disregard use policies.
Do a dive to discover Shadow IT.
IT needs to get to know what technology is in use at the business (both on- and off-site). This is more challenging now with people working from home due to COVID-19. Still, a survey of employees and their devices can help gather information about unknowns.
Determine the value of IT discovered.
Don’t overreact. You don’t want to necessarily ban all Shadow IT that you discover. Some of the services could have value. Vet the applications or devices found or reported. Review their connection to private or confidential data or essential network systems. If several employees use an unsanctioned app, you may want to invest in it. With a professional version, your IT team can safely manage the app.
Deliver the IT your people need.
Why are people circumventing your IT policies? Are they are under pressure? Are they are looking to meet an unmet need? Are they are more comfortable with a familiar app or device? It’s important to understand what the employee is aiming to accomplish or why they’ve turned to shadow IT. This can help you identify IT needs and areas where you need to improve.
Shadow IT is data or applications that are outside your business protection. IT can only watch what it knows about. Shadow IT is unsafe and unpredictable.