Shadow IT: When Tech in a Company Takes on a Life of Its Own
No, we’re not necessarily talking about AI tools in this case. While it’s probably the first tool that comes to mind when we talk about self-driving systems, shadow IT is even more insidious.
We know that people are a very fragile part of the security chain. But what is less often thought about is the influence of employees on company equipment. Many companies in their HR materials entice new hirees with laptops and phones and other hardware. But that doesn’t mean that everything is so nice and clean.
IT that IT Doesn't Know About
From a security perspective, we know that a company works on processes and then needs the cooperation of employees to make everything work. If we apply the same idea to equipment, then the company provides the hardware and software needed for the job but employees may have a different opinion about it.
Although the company’s strategy for working with equipment is a fairly key area of security, it is not fully appreciated by employees. This leads to situations where an employee decides to use their own hardware or applications for the activities for which they are responsible.
Definition: devices, tools, and services that employees use without the knowledge or approval of the IT department.
Quite a logical reaction. I have my job, I understand my job better than, say, the IT department, so I can find the best tools. But at that moment, one fundamental perspective is missing – what the IT department doesn’t know about it can’t protect.
Why Does It Arise?
We can find much more logical reasons than an employee wanting to harm their company. Rather, the reason is exactly the opposite – to do their job effectively and well.
It may happen that the official list, which is approved by the internal IT department, does not fit the real needs of employees. Hand to the heart, which company manages to keep up with the rapidly changing market of IT equipment and tools.
But if we think about the real reason, then it is insufficient communication about the needs of employees. And that is usually the fault of both parties.
The Risks of Shadow IT
They can be really big. Security is really no fun these days at any level (personal or corporate). So if the security experts in a company don’t know about a tool, the company is opening itself up to a potential cyber disaster.
Security Threat
We’ve been talking about this risk since the beginning of this article. The more unified a company’s cybersecurity is, the more securely it will operate. This doesn’t mean that all the equipment comes from a single provider.
Unity is manifested by a unified management and oversight by an IT department that has every aspect of its operations under its thumb. It can then set up a strategy, processes, and procedures so that security measures surround the company as a protective layer.
But when an employee uses shadow IT, they’re making holes in this perfect layer that make it easier for intrusions and attacks.
Legal Issues
But the attack doesn’t have to be limited to internal operations. Another pitfall of shadow IT is information leaks. And that’s a big problem in this day and age of GDPR and other regulations.
This is an area where employees probably don’t think about the consequences of using their own tools. GDPR still leaves a bitter aftertaste. If it’s meant to be a basis for not using “necessary” IT, it’s not exactly a compelling reason.
But if we put our opinions and dislikes aside, it’s logical that in order for the IT department to be able to properly protect all company data, it needs to know where it is and how it’s being used.
Complications for the IT Department
IT people are the backbone of the entire company – and forever will be. So if they don’t know about the devices and tools that employees use, they don’t know what to look after and what to protect.
It’s also much harder for them to uncover the root of any problems that arise, because the source may be employees using shadow IT. It’s a bit of a fight against windmills for IT departments, because even if they try their best, others are actually throwing sticks in their way.
Unnecessary Costs
Last but not least, we look at the costs that the company spends on equipment that no one uses. So in addition to the IT department, it will also be managers who will not be entirely happy with the use of shadow IT.
How to Deal With Shadow IT?
One option is certainly a strict ban and sanctions. But when you think about it, it’s not exactly the best solution. Because at the end of the day, a ban is just a bunch of words that can be ignored and circumvented.
A much better solution is not to ignore the pink elephant in the room and openly communicate about shadow IT in the company.
One step is to set up access to shadow IT and the processes that monitor it. Some companies use BYOD (Bring Your Own Device), so they have to set the boundaries of this access in order to maintain security.
At the same time, however, there is also the need to conduct regular audits to prevent any trouble from starting in the company. And most importantly, you need to get the employees themselves on your side. Their cooperation is key.
It’s good to include information about shadow IT and the attitude that the company’s management and IT department have towards it in regular employee education and training.
Transparency Instead of Prohibitions
A “ban” response is not enough. If a company ignores shadow IT, the problem grows. As with other areas of security, shadow IT requires open communication within the company about the risks and the ideal approach for the entire team. Bans can work, but education and collaboration are much more powerful.
If management clearly communicates the importance of a common stance on shadow IT, employees communicate their needs, and both parties hear each other’s side, then the company is well on its way to preventing shadow IT from taking on a life of its own.
