Shadow IT coves a broad spectrum but for ease, the general accepted definition is :
Shadow IT is used within organizations without approval of organization and it describes information technology systems and its solutions. Sometime, it is termed as “Stealth IT” to define solutions given by other departments rather than IT department.
Generally speaking, there is normally no malicious intent when employees adopt another system, most see it as something to help them get their job done, quite often seeing their IT departments policies as an impediment rather than an enabler.
Shadow IT is more than various devices being connected to a corporate network though; personal devices being connected are part of the problem, but so are cloud-based applications that employees and corporate guests connect to every day; these include applications such as Dropbox, Facebook and Apple iCloud.
A study by Frost & Sullivan and Intel Security found that more than 80% of respondents to the study admitted to using non-approved SaaS applications in their job. Perhaps more worryingly, 23% of respondents said that all of their security concerns were handled within the department, with IT approval. Without proper education and training, these unauthorized users could easily breach compliance regulations regarding data security.
Steps to reduce risks in Shadow IT :
Introducing an overall ban on such applications isn’t practical, and in many cases, increases the length of time to get work done, thereby increasing costs and impacting on the bottom line. Creating a fluid list of what applications can or cannot be used is important, but not nearly as important as trying to incorporate as many of those applications as possible. There are few steps are described below that can help to reduce security risks in Shadow IT.
1. Prevent Unauthorized Device Access
Perhaps the most basic protection against such risks would be to prevent unauthorized devices (personal devices for example) from connecting to the corporate network.
A smaller step could be to do the same unless the devices were pre-configured with Mobile Device Management (MDM) software that could create secure links to the corporate network. If employees had a company device, there are other benefits like the ability to wipe any data in the event of the device being lost / stolen or the employee is no longer working for the organization.
2. Education and Training
Any organization concerned with shadow IT management or risk should introduce basic measures; this could be something as simple as training, or checklists to cover best practices and policies. Education is the single most effective tool to improving security, policies, and practices. Organizations could also include the use of newsletters, role-play and videos using real-life scenarios into the training environment.
As part of the training and education, the creation of lists regarding the use of sanctioned cloud services and acceptable practice or behavior should be necessary. However, these lists should be strictly adhered to, revisited regularly and be kept fluid, allowing them to be updated regularly, either on a schedule or as and when needed.
Another simple step could be the monitoring of expenses that the finance department actively looking for references relating to unauthorized applications. It will not reduce the use of these applications; it could be used to trigger other procedures, investigating these unauthorized uses further.
Secure web gateways are an excellent way to help with protection against malware and viruses, protecting the corporate network, but the use of these gateways can also include monitoring of web traffic, allowing for further analysis; traffic to and from unauthorized applications for example.
3. Minimize file occurrences
Whilst many employees understand that if a file is emailed, there will be some digital reference to it on the email server, perhaps they may not realise that other processes could also create a digital footprint or reference to the file; most enterprise printers store files sent to them on an internal disk for example. This means that there could be many instances of the supposedly secure file stored on other networks, and it is these networks that are generally less secure, meaning that unauthorized access (either from an employee or worse still, a hacker) is a very real possibility.
A simple step is to minimize the occurrences of digital copies being made, stored or transferred, or ensuring that all employees understand the risk of making such copies.
4. Implement Control Procedure
Introducing a blanket ban on all SaaS applications that do not currently fit within the enterprise guidelines is not always practical and is usually a very cost heavy process. Better to try to integrate the more popular applications within your processes rather than exclude them. However, this does require strict monitoring and control procedures; it cannot just be a free access network.
By implementing control procedures, it is possible to implement a security solution that could work for the benefit of the enterprise and the employee. There are many solutions to give a policy-based control, for example let employees access applications such as Facebook, but would then restrict access to the chat function, or would an enable secure encryption for files automatically before being uploaded to third-party applications such as Dropbox.
The use of shadow IT within an enterprise is on the increase and is set to continue in an upward trend; as ever more applications are developed, their use will be commonplace; employees often see these third party applications as a way to get their job done in a more efficient manner, usually for little cost.
Organizations should keep balance between the freedom of usage of employee’s device and the security and liability of these devices. As we seen above a completely ban on such device will not work in a positive way. Organizations should develop a policy that should let employees feel that the policy is effective and reasonable.