To the uninitiated, the term “shadow IT” may conjure up images of mysterious hackers in dimly-lit rooms or ghostly apparitions fixing printers. But in our department, we know that shadow IT is not quite so immediately threatening—but it’s certainly something to keep our eye on. Today, we’re taking a look at shadow IT, its future and what you can do to stay strategic when it may be going on at your company.
What is shadow IT?
Shadow IT is, at its most basic, all unapproved technology and applications that may be used at your place of work. While that may include things as innocuous as email widgets or the desktop version of Chip’s Challenge that Karen from finance plays on her lunch break, it can also include processes that could endanger your company’s data and security. The biggest risk of shadow IT is the unintentional disclosure of data through file-sharing programs, so the use of any file-sharing programs you haven’t internally vetted and approved needs to be immediately addressed.
Put strong processes in place
In a 2016 Intel Security survey, 23 percent of respondents said their departments handle security without IT’s help. That statistic, combined with the fact that more than 80 percent of respondents in a Frost & Sullivan and Intel Security survey admitted to using non-approved applications in their jobs, shows how essential it is that you educate, inform and monitor your company on shadow IT.
Education can come in many forms: whether it’s dedicated training sessions, newsletters, videos or real-life simulations, you need to get department heads on the same page when it comes to shadow IT. Impress upon them the potential security risks that accompany the use of unapproved applications, and listen to their suggestions for applications that should be approved in order to increase their department’s productivity. Then, work with department leaders to evaluate new services and develop a solid approval process. With that in place, you’re better equipped to work with your coworkers to monitor shadow IT.
Even with solid processes, some people will still ignore the rules (looking at you, Karen.) In order to make sure those revolutionaries aren’t causing problems, it’s important to monitor activity and proactively protect against dangerous uses of shadow IT. Here are a few tactics you can implement in order to get a better sense of activity and protect your company:
- Apply functionality controls to high-risk apps to restrict uploading, posting and downloading abilities. When you add these controls at the IP level, you have a better ability to change these depending on employees’ needs.
- A data loss prevention (DLP) program can restrict the flow of data to cloud apps, helping to protect against breaches. DLP software can also be configured to recognize and restrict the transfer of sensitive data, like payment card information, personal health information and payroll information
- Have periodic discussions with employees, managers and the C-suite to discuss what information is actually needed, how they’re using different applications and what you can do to facilitate their work without compromising security. Shadow IT isn’t something that you can control right away: it’s an ongoing issue that requires ongoing communication.