Shadow IT: Mitigating the Risks amidst the Crisis
The massive lockdowns and restrictions caused by the coronavirus have forced businesses to make their employees work from home for the foreseeable future. This “new normal” can exacerbate issues encountered by the IT department in their never-ending battle to secure a company’s IT systems and infrastructure. One of these issues is Shadow IT. IT departments must have a way to handle the adverse effects that Shadow IT can have in the workplace, or else it will contribute to the existing work crisis being faced by businesses amidst the global pandemic.
What is Shadow IT?
Shadow IT is information-technology-related hardware or software used by employees or departments within a business that is not known, or approved, by said the business’ IT department. One may wonder why employees, or even whole departments, would choose to use hardware or software behind their IT departments back. A 2012 RSA study notes that 35 percent of employees feel the need to temporarily circumvent their company’s IT policies in order to get their work done. This happens especially if a certain technology concern or issue cannot be addressed by the company’s current systems, policies or both
Employees may believe that the IT-approved hardware/software may not be the best solution for the challenges they encounter when they go about their work. They can believe that there are better alternatives to corporate-approved software available, like using a file-sharing service like Dropbox or Google Drive instead of emailing files to co-workers. Perhaps employees may simply own better hardware. An employee’s personal smartphone might be more powerful than their company-issued one. It can also be simply a matter of preference or familiarity with the Shadow IT alternative. Maybe employees feel that Slack is a better communications platform than company-mandated Skype. Maybe an employee prefers their own Mac, instead of the company issued-Windows machine.
Shadow IT and the pandemic
As employees continue to work remotely, they might be even more motivated to use Shadow IT. Working remotely brings to the forefront the challenges and limitations of having colleagues work together as a team but not be in the same place. A company’s communication platform, project-monitoring tools, and file-sharing services will be put to the test by these conditions. If employees find the IT-approved software, or services lacking while working remotely, they might consider finding alternatives in order to be more effective. The pandemic may cause a scenario where even managers or department heads will consider using Shadow IT. For example, if the people they supervise use desktop computers instead of laptops, the leaders might consider procuring laptops for their employees themselves, if the IT department is unable to do so in a timely manner.
Though using Shadow IT has its benefits for the employees who choose to use them, using software or hardware that the IT department does not approve or know about can adversely impact a company. The benefits gained through the said use would not outweigh the negative impact it has on business. Let us look at three possible negative impacts Shadow IT may have on a company:
- Loss of work and data because of malfunctioning hardware. Personal devices may not have the same customer support and service warranties that enterprise devices do. The breakdown of an employee’s personal hardware may mean loss of progress for a specific task and/or loss of company data.
- Employees may get locked out of the Shadow IT accounts they use. This can happen with any application that requires an individual to create an account to use a software service. Let us say an employee signs up for a file-sharing service like Dropbox, and then shares the account with various members of their team in order to share work files easily with one another. A few months later, the employee then leaves the company but the separation was not amicable. The disgruntled ex-employee can lock down the Dropbox account, leaving their former teammates unable to get to their files.
- Unknown data breaches. The analyst firm Gartner predicts that by 2020, a third of successful cyber-attacks by businesses will be done through shadow IT resources. Let us take the example of shadow IT usage in another direction. Instead of a former employee locking out their teammates from the account, the software itself gets hacked. This is a severe issue because the account is a shadow resource, and the IT department is unaware that critical company data may now be in the hands of unscrupulous entities. Furthermore, the hackers can use the information they gathered from the hack to breach the company’s own security protocols.
Dealing with Shadow IT
There are several ways of dealing with Shadow IT. First, IT security has already improved by leaps and bounds that the market now has products that are able to monitor, manage, and control software distributions to company-issued devices. The existence of DLP products gives companies the capability to prevent exporting of data outside of authorized devices. It can even establish geofencing and geo-location tracking. Finally, IT Security governance and compliance policies are designed to specifically address the usage of shadow accounts.
However, resourceful employees will still find ways to circumvent mechanisms put in place. Because given how fast the digital landscape changes, there will always be better, more efficient software and hardware on the horizon. Employees will seek these resources out, regardless of whether their IT department allows their use or not. Another way to deal with the use of Shadow IT is to compromise and find a middle ground with the employees who use these resources in order to mitigate the possible negative impacts. This may be done by the following:
Differentiating between good and bad Shadow IT and allow use of the good Shadow IT resources. Foster an environment where departments/employees can go to their IT department with a request to use new hardware or software without automatically hearing the word “no”.
Educating employees about securing their third-party accounts. Use best practices for account passwords or even a password manager service. When available, use two-factor authentications.
Strengthening security of the company’s IT infrastructure. Even if employees’ shadow accounts get breached, strong IT security policies may prevent successful attacks on the company’s own systems.
Shadow IT will always remain a temptation, especially to the more maverick employees. It is time for leaders and CIOs to recognize its existence, a temper that temptation, and provide alternatives that can boost their organization’s security without disrupting productivity.