Shadow IT is any technology used by employees that your IT department doesn’t know about. That would never happen to us, you may say — but you’re probably wrong. According to Gartner, most companies hugely underestimate how much shadow IT their employees are using. And that’s a big problem, because what you don’t know about, you can’t secure. Outsourcing your IT operations to a skilled managed service provider is a good way to standardize IT. Even if you don’t outsource, here’s what you need to know to start shining some light into the dark corners of your IT infrastructure.
What is shadow IT?
In general, your employees are either signing up for cloud services that aren’t approved or using a personal device, like a phone, tablet, or laptop, that hasn’t been properly configured for secure use on your network.
Why do they do that?
Because they’ve learned about a new application or service that they believe will help them work more effectively and efficiently. The thing is, they might be right! It’s entirely possible that something they’ve discovered on their own time works better than what your IT department provides. It’s also probably much faster and easier for them to sign up for a new tool on their own initiative than to ask IT to provision something for them. It can often take weeks for IT to test and approve new technology. You can’t really fault them for wanting to do their jobs better.
So why is it a problem?
Because by introducing applications and devices to the network without IT’s oversight, they’re increasing your company’s data security risks.
Cloud services operate on a model of shared responsibility for security. The provider is responsible for securing its own infrastructure, but the user still has to configure and use the service in a secure way. When IT isn’t involved, that’s less likely to happen. Without proper configuration and use, even the most secure cloud services can leak data, which creates both confidentiality and compliance problems. A user who doesn’t understand fully how to control access to a file in a cloud service might share it with the wrong people or in a way that can’t be audited properly. If IT doesn’t know the user has an account on that cloud service, your company doesn’t know where its data is. When that employee leaves, you don’t know what you need to remove from the cloud or even that there’s anything to remove.
Employee-owned devices probably aren’t properly configured with antivirus protection, access controls, and other security measures. If you don’t even know they’re on your network, you have no way of knowing whether that user is storing unencrypted data on an easily stolen device or infecting your network with malware and ransomware the user doesn’t even know is there.
This sounds serious. What do I do?
It is serious, because you don’t know what you don’t know. To improve your situation, we recommend that you work your way through the following steps:
|Start with user education. Your employees probably haven’t given much thought to the consequences of using non-sanctioned services and devices, so you need to begin building a culture that makes them aware of the risks and emphasizes that everyone has a role to play in the team effort of protecting company data.|
|Establish clear bring-your-own-device (BYOD) and cloud services policies so there’s no confusion around what IT allows. Require employees to go through mandatory procedures for connecting an employee-owned device to the network or signing up for a cloud service. No exceptions!|
|Create clear acceptable use policies that cover questions like what data can be put in the cloud, what data can be put on a personal device, what applications can be used with company data, and so forth.|
|Take the path of least resistance. Your employees are going around security and using shadow IT because it makes their jobs easier — so make it even easier than that to stay secure. Get your security pros to vet the best tools and configure them appropriately. Then you can say “Yes, here’s a tool that does what you want to do without compromising security” instead of “no, we don’t allow that.”|
|Monitor access to non-sanctioned apps and devices, but don’t block them except as a last resort. There are so many ways for people to remove data from the corporate environment, it’s almost impossible to block them all, especially given how easy it is for developers to create new applications and services. In addition, blocking prevents legitimate use. What if you block Dropbox, but one of your clients relies on it as its primary file-sharing solution? You’re stuck between reversing IT’s decision to block it or asking your client to adopt a different solution for your convenience|
Can Xantrion help?
Yes! We have state-of-the-art tools to detect what devices and cloud apps people are using so you can figure out which to bring under IT’s control and which to tell people to stop using. We can also help you create solid technical restrictions around especially sensitive data by using digital rights management solutions that encrypt and restrict access to individual files so they’re protected no matter where they are. Get in touch to learn more about how our Managed Security services can help you start shining some light into the shadowy corners of your infrastructure.