Pulling Shadow IT Into the Light
Shadow IT has grown within the enterprise alongside the adoption of the cloud. Recent research from IBM Security found that a full one-third of Fortune 1000 employees share and upload corporate data on unsactioned third-party cloud apps.
When employees circumvent company-approved apps, processes or devices and instead turn to those they prefer, it creates shadow IT. Employees may do this because the path to use the devices they want does not exist or because they wish to use a different tool than what the organization has provided. This approach can lead to security problems like unauthorized access to confidential business information since malicious actors can exploit these unmanaged apps to enter your network.
Just being tolerant of multiple pathways may not work. Indeed, it may even be negligent.
What to Do?
CIOs need to bring the problem of shadow IT under control, especially in light of the fact that new reports confirm members of the IT department rather than line-of-business employees may be the biggest offenders.
One way to address this is to mandate the use of approved methods with the proper security tools. The right choice can both detect unauthorized app usage and correlate it to employees. But simple detection alone will not solve the problem.
Employees need to know what apps are approved, especially if they have been flagged as using unsanctioned programs. By offering self-onboarding as an option for these users, the problem can correct itself before continued usage leads to legitimate cyberthreats.
Risks of Shadow IT
Risks must be prioritized. If you know what apps or services make up shadow systems, establish a blockade with existing infrastructure methods. Conversely, low-risk situations can be permitted as long as there is sufficient network monitoring to ensures they do not evolve into a high-risk situation.
Setting bring-your-own-device (BYOD) guidelines can also help avert problems before they happen. If one particular kind of device has been correlated with significant security problems, it seems unwise to allow your company to continue purchasing it or permitting its use.
Educating your workers on the consequences of their choices is smart, especially if an amnesty for past use is offered. Amnesty can encourage staff to change their use patterns and be open about possible existing threats to the network — but they must know up front that they won’t be penalized.
IT as Gatekeepers
The IT department can be a useful tool in this fight, assuming they are not encouraging the shadow process by ignoring it when violations occur. By making IT the gatekeepers for the rest of the company, employees can have a single source to consult with for informational tasks. The IT department must be adaptable here, looking for the reason why employees are going around rules and providing a workable solution.
Shadow IT happens when tools that are sanctioned are not up to the jobs that need to be done. Fixing it requires cooperation on all sides, not just hierarchical authoritarianism.