If you think “shadow IT” sounds cool and sophisticated, don’t be fooled. It’s just the use of unauthorized IT tools and systems within organizations. Employees often download apps on their own because they’re proactive and want to get things done. If you think that this is harmless and actually good for the organization, think again. Unvetted IT solutions bring about all sorts of risks:
- Risk to data privacy – When people download and install third-party apps behind IT’s back, IT can’t verify if such programs are actually safe to use. Some apps, especially the free ones, are media for cybercriminals to spread malware that let them steal sensitive data.
- Risk of regulatory non-compliance – Some privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA) also cover third-party vendors. If nurses regularly transmit personally identifiable information (PII) about their patients via a third-party app, and that app collates the PII and sells it without anonymizing it first, that may constitute one or more HIPAA violations. If regulators get wind of this, it may mean millions of dollars in fines for the offending healthcare provider, plus patients seeking another provider that is more careful with their PII.
- Risk of multiple compromised accounts – People tend to use the same access credentials for multiple accounts, including work-related accounts. If an employee reuses their corporate account credentials when creating an account for an unvetted app, a hacker may just obtain these credentials. Then, that hacker can access the corporate account and see potentially confidential data, or even use the account to execute fraudulent actions such as make financial transactions in that employee’s name.
Now that you know the dangers that shadow IT poses, you might grow anxious about how much risk your organization is exposed to. Don’t fret — you can bring your firm out of the danger zone by following these tips:
1. Assess the scope of the problem
Direct your managers to survey their subordinates regarding the IT tools they use. Have them observe processes that involve sensitive data and document their workflows. Surveys and direct observation will likely reveal how many unauthorized tools staff members use.
Secondly, have your IT team track network traffic. This will more precisely reveal the unvetted apps and solutions people use while they’re on your network.
2. Identify IT gaps
Shadow IT is just a symptom of a much larger problem: your current IT solutions aren’t providing your staff with everything they need to do their jobs well. Therefore, once you’ve identified the unauthorized tools and learned what staff use these for, the next step is to review your workflows:
a. If the tools already exist in the current infrastructure:
Sometimes, people just aren’t aware that what they need is already provided to them; they only need to know where it is. Or maybe they know where it is, but they just don’t know how to use it. If this is the case, then you’ll need to provide training so that people won’t have to use shadow IT.
b. If current IT infrastructure has gaps:
“Necessity is the mother of invention” — unfilled IT gaps may actually be opportunities for cost savings and/or innovation. To illustrate, perhaps a third-party document management system that a particular team subscribes to is actually secure, and its document digitization feature allows for much faster processing of paper documents. However, if the shadow IT solutions are unsecure, then IT must find solutions that are necessary, safe, and cost effective.
3. Discuss shadow IT with your staff
Your employees may feel that they’re only doing their jobs as well as contributing more to the bottom line by exploring new or unique productivity apps. However, everyone in your company must be made aware that shadow IT may do more harm than good. Let them know that outside the context of non-compliance with company policies or clear malicious intent, staff who implement shadow IT will not be viewed in a bad light. However, they must cease using the unvetted solutions until IT clears these, or they must replace these with solutions that IT has deemed safe for use. They must also cooperate with IT so that IT gaps may be filled as quickly as possible.
4. Implement policies that disallow shadow IT — and have a process in place that enables staff to suggest viable IT solutions
The policies will serve to guide staff on what not to do, whereas the suggestion process will serve as something they can do whenever IT gaps hinder them from being efficient and effective at their jobs.
This means that your IT team must do better at collaborating with internal stakeholders (i.e., staff) and be faster at coming up with secure solutions. Often, people adopt shadow IT because IT always says no to them or fails to identify and address their needs in a timely manner. In other words, what appears to be a tech problem at first blush may actually be a bureaucracy problem that needs a human solution first and a technology solution second.
To minimize your exposure to risks brought about by shadow IT, turn to HERO Managed Services LLC. And if you’re relying more and more on IT solutions, perhaps you’re ready to take on managed IT services. To find out, download our free eBook. And once you’re done, contact us to learn more about how we can help you build an effective, cost-efficient, and shadow-free IT infrastructure.
Leave a comment!