As companies work to implement practices and protocols designed to keep internet usage and data access under tight permissions, “shadow IT” (information technology) is becoming an increasingly common issue when it comes to maintaining cybersecurity.
What is shadow IT?
Shadow IT is a term that is broadly used to define an employee’s use of software, platforms, applications, devices or services without the approval or oversight of an organization’s IT department.
Why is shadow IT so common?
In some cases, workers may feel bogged down or obstructed by company-approved workflows or protocols.
An internal file sharing platform that an organization mandates the use of, for example, may not be an employee’s preferred application. They may find it quicker and easier to get work done by using something they are more familiar with, such as DropBox.
In doing so, however, they go outside of the organization’s field of view and could potentially expose sensitive data to unauthorized or malicious users.
In this way, shadow IT has the potential to put cybersecurity on the line in favor of an individual’s familiarity or efficiency.
One of the most common reasons for the prevalence of shadow IT is that obtaining IT approval can often take time and slow down production. For many of today’s busy employees, it’s simply quicker to forge their own path than use the proper avenues to ensure that their actions are safe.
There is also the chance that IT may deny the request altogether, leaving the employee the choice to either continue to use their preferred methods and risk punishment or slog through the process of adapting to a methodology that they may find to be demoralizing or irritating.
How shadow IT can negatively affect your business
The most obvious downside to shadow IT is the challenges it brings to the task of keeping an organization’s data secure and safe from breaches and hackers, although other obstacles can also be present.
For example, an employee’s favored app or platform may not be compatible with a company’s preferred or proprietary solution. This could make integration or file sharing difficult or even impossible. Compatibility issues that require additional workarounds eat up time and may end up canceling out any perceived shadow IT benefits with regard to efficiency.
Data loss can also result from employees saving important information or documents on platforms that the organization does not have access to or the ability to back up appropriately. Shadow IT may, in this way, lack the safety nets that help prevent data loss or the accidental deletion of critical files.
Shadow IT limits the ability of administrators to see and control who is connecting to their network and with what devices.
Shadow IT can also prove to be a tremendous obstacle in the event of a security breach or hack. If an organization’s IT administrators need to comb through a variety of databases, platforms and apps as they attempt to regain control of their system or network, they are less likely to be able to mitigate any resulting damage.
A tightly controlled and well organized network of approved apps with full IT administrator access creates an environment that is much more conducive not only to isolating and stopping threats before they take over, but also to preventing them from happening in the first place.
Are there any pros to shadow IT?
Shadow IT isn’t exclusively negative. Allowing employees a degree of freedom to create and adhere to workflows that better suit their preferences can make for quicker, more effortless results. Industries that require creativity and outside-the-box thinking also benefit from allowing people the ability to work in ways that can generate unexpected solutions.
Overzealous IT departments have a reputation for draconian policies that box people into specific methodologies that may limit synergy. While their reasons for tight control are understandable, some organizations are taking a more collaborative approach to how they administer their IT regulations by actively listening to the needs and desires of their employees.
IT administrators, working alongside other departments, are then able to provide the protection needed to maintain cybersecurity while still letting employees use tools and platforms that work best for them.
How can organizations adapt?
Every business or organization operates differently, meaning that managing shadow IT doesn’t have a one-size-fits-all solution.
However, a common theme when it comes to managing shadow IT is a combination of control and oversight. While it is next to impossible for most private organizations to completely prevent employees from checking email, sharing files or using poorly protected devices for business, steps can be taken to help keep these risks under control:
- Regularly inform and remind employees of the dangers associated with shadow IT. It’s very easy to allow safety to take a back seat to convenience, especially in fast-paced industries where so many people are working remotely through so many different platforms.
- If your company has a bring your own device (BYOD) policy, keep it updated with regard to what is allowed on the company’s network and consider setting up a separate network to isolate internet of things (IoT) devices from critical company data.
- Consider a policy that punishes employees in breach of shadow IT rules to act as a deterrent.
- Network monitoring services exist that can alert IT administrators to unauthorized activity. This can help keep track of any potentially hazardous devices connecting to the network and can also allow administrators to know where data is being stored.
- Restrict access to high risk platforms, sites and apps. Shutting down access to file trading platforms or other apps that IT deems to be troublesome can help prevent blurring the lines between the company’s secure processes and those that fall outside of their ability to properly monitor.
- Collaborate and listen to employees’ thoughts and logic when it comes to their preferred platforms and apps. As every organization works to continually improve and streamline their processes, it’s always worth keeping an open mind. Some people may use new platforms, or even well-known ones, in surprising ways that may integrate nicely into the organization’s existing infrastructure.
Sources
- What is Shadow IT? Defined, Explained, and Explored by Forcepoint
- TTI | The Pros and Cons of Shadow IT by Craig Badrick, 5 April 2016, Turn-Key Technologies
- How can IT teams better manage shadow IT? By Paul Kirvan, 9 Nov 2021, TechTarget
- 6 Tips to Help CIOs Manage Shadow IT by Jennifer Lonoff Schiff, 13 Nov 2013, CIO
- What is Shadow IT? And How to Manage It 23 Aug 2021, SecurityScorecard
