What is Shadow IT?
Shadow IT is a term given to IT resources…hardware, software, subscriptions, services…that are used by an organization without the knowledge of whoever’s handling IT or cybersecurity for the organization.
Keep in mind Shadow IT isn’t necessarily evil. Or destructive. It’s…well, honestly you don’t know what it is. And that’s the problem. You don’t know if it’s productive. If it’s secure. If it’s worth the money. If it’s legal.
The most common form of Shadow IT is probably where employees go and subscribe to cloud services and use those services to do their job. For years the poster child for this would be file sharing apps like Drop Box. Employees would create accounts for themselves (whether personal or business) and use them to share company files and information with other folks or access data from home.
Is this data secure? Is it backed up? Is it shared properly? Is it encrypted? To all these questions, the answer is “we don’t know.”
How common is Shadow IT?
My suspicion is that most small-to-medium organizations have some form of Shadow IT. Especially if that organization hasn’t done anything to control it.
Why is Shadow IT popular?
Honestly most Shadow IT purchases were probably made with the best of intentions. People (giving them the benefit of the doubt) simply couldn’t do their job with the IT tools at their disposal. IT was too slow in coming up with alternative solutions (or were never asked), so these folks went ahead and solved the problem themselves. And since the company didn’t have specific policies prohibiting this sort of thing…
Is Shadow IT dangerous?
Your corporate data is being accessed and shared with (you don’t know who) by untrained employees using applications that you don’t know are secure. Or unknown applications are being installed on company computers. Yeah, I’d say there’s a teeny bit of a chance there’s a risk here. And you know all the steps you’ve taken to make your organization more secure? Multi-factor authentication, encryption, multiple backup strategies…odds are your Shadow IT at best doesn’t have these protections, and at worst compromises the protections for the rest of your organization.
How do you deal with Shadow IT?
Technically this is actually a pretty simple problem. It’s the implementation that gets to be fun.
Step #1: Create a Shadow IT policy for your organization. This can be the most difficult. Are employees allowed to do their jobs using hardware, software, or services that are non-sanctioned by either IT or security? If the answer is no, what process can they follow to request an app or device? Remember these folks are trying to do their jobs.
Step #2: Discover/Analyze your Shadow IT. There are a ton of tools out there to monitor and manage your network. Most of them include the ability to identify applications installed on corporate devices as well as non-identified devices on your corporate network. This won’t identify everything (especially cloud services), but it’s a start. And several tools (ie, Defender for MS 365) include resources to identify and control Cloud Apps.
Step #3: Manage your Shadow IT. Here’s where the fun really takes place. Taking your results from Step 2, you need to decide what to do with the discovered Shadow IT resources. We’re not including whether there should be any disciplinary action against the employee. Your options are:
Remove the resource. This is a resource that should not be in use (for any number of reasons). Inform the employee what’s happening and why.
Remove the resource and replace. This is a resource that actually has a more appropriate solution (ie, don’t use DropBox since we already have MS 365). Inform and train the employee.
Implement the resource. This is where the resource is appropriate. Bring it “out of the shadows”. This might require a different licensing and/or configuration changes.
Shadow IT can be a significant security risk. It can be an unnecessary expense. It can be a great idea, but implemented poorly. But if it stays in the Shadows, how will you know?
Contact us for help identifying your Shadow IT.