The dark, foreboding presence of shadow IT inspires fear in most IT departments, sneaking into businesses undetected as people download their own, unapproved applications, software and even devices. However, is shadow IT as ominous as it sounds? And, if so, what can businesses do to avoid the spread of darkness?
Shadow IT originated as a means for personnel to bypass IT rules by implementing and using their own applications, software or devices for work purposes. Often, this is because an employee finds their chosen technology works better than the one prescribed by the company’s IT division, whether because it’s familiar, easier to use or – they believe – it achieves better results.
A more common reason for the spread of shadow IT is the length of time it takes for a technology to be approved and rolled out by IT, often exceeding the completion date on the challenge it was intended to solve. Employees, frustrated by waiting for useable tech to be approved, decide to adopt their own instead.
The proliferation of cloud applications (many of them, free) has made it easy for anyone to access and use their own Software-as-a-Service (SaaS) solutions, without having to obtain approval from their IT department or management. While this certainly provides an immediate fix for users, it does pose a potentially huge security risk for businesses.
IT has become central to businesses and drives the success of business operations. The prevalence of cybercrime threatens the success of business, as cybercriminals seek and find weaknesses in increasingly complex IT environments. As businesses become more connected, adding more points of access to their networks, they’ve had to increase their cyber security efforts to ensure the protection of their data, critical business systems and plans.
When users adopt their own technology for business purposes, using company data on unmanaged software and applications, IT is unable to include these within their security net. They cannot protect what they don’t know about, and this provides easy access for cybercriminals to not only steal company data, but to infiltrate the business’s IT environment.
Shadow IT increases the risk of data loss not just due to cybercrime, but also the inability to backup data which is outside of IT’s control. In the event of a system failure on an unsanctioned application, valuable company data can be lost, and there is no recourse.
It can also be inefficient, despite efficiency being a primary reason for users to adopt shadow IT. Not all technologies are able to integrate with existing systems, which can make it harder for users to complete their tasks.
Shadow IT becomes more than just an IT concern. Due to the security risks to the company as well as the inefficiencies created, it becomes a business concern – one which management needs to address.
How to prevent shadow IT
For many businesses, shadow IT is forbidden. However, it’s not always possible to enforce this, as it’s impossible to control what you don’t know about.
In order to enforce a ban on shadow IT, businesses need to understand the risks and have a complete birds eye view of their environment. Full understanding of the risks requires knowing precisely what is contained within the business IT environment, how it is accessed and whether or not it is fully functional and efficient.
Businesses need to conduct an audit to gain full visibility of their environment, documenting every system, application and tool, whether authorised or not. They can then decide which technologies to adopt and which to eliminate, ensuring all are properly secured and protected.
An accurate audit, however, requires full disclosure, and employees will need to own up to any and all unauthorised technologies they could be using. If the technology offers an improvement on existing technology, it may well be adopted and incorporated into the environment. However, those that pose more risks than rewards will need to be banned.
Once they know what they have, businesses will need to enforce governance. They will need to determine a framework to adopt, communicate this to all employees, fully explaining the risks and consequences of failure to adhere, and ensure this is maintained. Regular checks and audits will be required to constantly ensure no unauthorised technology is added to the environment at any time.
How to enable shadow IT
Some businesses enjoy the agility and freedom of choice offered by adopting shadow IT. Even so, to avoid risk to the business, there still needs to be proper controls in place.
In these cases, the businesses need to outline the risks and define a policy for the quick approval and incorporation of user-chosen technologies. The policy needs to be regularly updated and communicated to all staff. Employees will also need to ensure they keep the business informed of any technology they have adopted or wish to adopt, so that IT can put the necessary security measures in place, as well as enable integration with existing technologies.
There are many APIs available for cloud technologies, today, which help to enable integration with existing environments, and speeds up the process of adoption. However, there are some technologies which will prove unsuitable. In these cases, it opens up the door for communication between IT and the business, enabling a collaboration on choosing the right alternative technology to meet the business’s needs.
Security policies will need to be strict, however, and employees will need to have a clear understanding of the risks and their role in preventing risk.
Shedding light on the shadow
Shadow IT seems set to stay, in some form or another and depending on how businesses adopt it. However, the market will need a strategy around shadow IT that CIOs and CEOs will need to address, in one way or the other.
By Rohit Andani, Senior Cyber Security Consultant at In2IT