Employees are always looking for ways to work more efficiently and effectively. This may include anything from installing an application to check for grammar and spelling in documents; to using their mobile phone to quickly answer emails; to using a cloud file storage solution to easily send large files to colleagues and third parties. Although these digital technologies may improve productivity, if a business’ IT team does not have visibility of these tools, it can pose a significant security risk. This concept is called Shadow IT and in this article we discuss how this poses a security risk.
What is Shadow IT?
Shadow IT refers to any devices, software and services used by employees, without the control of their IT provider or IT departments.
In terms of devices, this may include using a personal mobile phone on a business’s network, or using an external hard drive to transport files between work and home. Some productivity application examples include Slack, Trello and Asana. For cloud storage, this may be using WeTransfer to send files, or storing company files on Google Drive or Dropbox. Other examples may include communication applications, such as Skype or other VoIP solutions.
How does Shadow IT pose a security risk?
Shadow IT can also be the cause of a cyberattack. Some potential issues include:
Lack of Visibility and Control
If an IT team is not aware of the technology or software being used, they cannot take the necessary steps to secure it. The business could then become a victim of a cyberattack.
If employees are using devices that an IT team does not have visibility or control over, this also poses a security risk. When IT teams set up work devices, they are protected to avoid the device being compromised.
Compliance Issues
Different industries have different regulations that business must comply with. Shadow IT increases the chance of businesses not meeting the necessary requirements. This is particularly pertinent for GDPR, as a business is required to delete a subject’s data if they request to do so. If an employee has this data stored on a system and it is not deleted, this is a breach of GDPR.
Increased Risk of Data Breach or Leak
If employees are using cloud storage or cloud file transfer services, this increases the chance that the data will end up out of a business’s control. If these files are moved onto an employee’s personal cloud storage solution, and this account is compromised, it means there has been a data breach, which the IT team may not even be aware of.
What can businesses do to combat Shadow IT?
Shadow IT is difficult to detect and avoid. There are steps a business can take to increase visibility, and reduce the associated risks.
One method to combat Shadow IT is to continuously monitor your IT environment. By monitoring devices and network traffic, it can help identify where all company data resides. This also helps with knowing when a new device enters a network.
It is important to educate employees about the risks of Shadow IT. Businesses should also create a process whereby employees can easily apply to use software, devices and services; allowing IT teams to take the necessary steps to keep the business secure.
Businesses should also have a defined BYOD policy and program. This ensures that employees know what devices they are allowed to use and what devices can connect to the business’s network.
Finally, businesses should consider creating a formal digital transformation strategy. Although this will not stop all Shadow IT, it will ensure that employees have the best digital technologies to work effectively. Digital transformation can also enable businesses to gain a significant competitive advantage.
Want to find out more?
If you believe that your business may be at risk due to Shadow IT, contact us today.