Shadow IT: What it is and how to mitigate it
Technology has advanced at an incredibly fast rate in the past few years. Innovations such as the computer that were once thought too expensive for personal use are in a vast majority of American homes, and the emergence of the smartphone has increased the internet’s reach even further.
It would seem that every day some new device or piece of software is making life easier for people, and while this may be good for the consumer, it poses a major risk for IT administrators. The in-office use of these kinds of technology is called shadow IT, and it’s causing some big problems for organizations all over the globe.
How is shadow IT formed?
“The issue at hand here has to do with an employee’s personal convenience.”
The issue at hand here has to do with an employee’s personal convenience. As a rule, shadow IT very often forms when a worker decides to go outside of the company-supported suite of software and hardware in order to use something he or she is more familiar with.
A good example of this would be an employee that gets fed up with a certain file storage/exchange system. They don’t know how to work this platform, so they decide to use a free service that they’ve relied on before.
While this may solve a convenience issue, this employee is now moving company information around utilizing a platform that isn’t supported by the internal IT team. This creates a gaping security vulnerability that a hacker could work to exploit.
BYOD can help foster it
An aspect that a lot of administrators don’t consider is that shadow IT doesn’t just pertain to software or digital platforms. As TechTarget contributor Margaret Rouse points out, hardware is also part of the equation.
Your employees have all kinds of personal devices that they use at home, and they bought them for good reasons. They have experience with this tech, and this can very easily translate to an increase in productivity.
In fact, the bring-your-own-device trend hinges on this exact principle. BYOD allows organizations to sidestep paying for new equipment by simply allowing workers to bring in their own gadgets. On top of that, staff members get the unique ability to complete daily responsibilities with the tech they know and love.
When done properly, this is a perfect example of a win-win scenario. However, a BYOD deployment must be implemented properly. The IT team needs to handle this transition to ensure that the devices in question are properly secured against hackers. Without some kind of security procedure on the books, companies could be looking at a data breach.
The problem is that employees very often don’t know about the risks involved here. Again, without any sort of maliciousness, they’re simply thinking of their own convenience and choose to bring in their own gadgets without clearing it with company officials. In fact, a survey from Gartner found that more than one-third of respondents were currently completing work-related tasks on personal devices without telling anyone about it.
This is huge because the average person simply does not take the time to properly secure their gadgets on their own, especially considering the high standards of data security many industries need.
A consumer affairs survey found that only 8 percent of average smartphone owners had software that would allow them to delete the information contained on their phone should it be stolen. While most people would worry about the photos and other irreplaceable memories in the event of a theft, a stolen smartphone can easily turn into a major data breach should the wrong person get their hands on the gadget.
Companies must take action
Clearly, shadow IT is no laughing matter, and organizations must take decisive action in order to mitigate the risks of a data breach. So, what would this look like?
First and foremost, set up a meeting with employees to explain the consequences of their actions. As stated, it’s not that these workers are actively trying to sabotage the company. Rather, they simply don’t understand that using a personal device or outside software could cause serious harm. These people simply need to be educated about what can happen when they step outside the approved systems.
Second, to attack unlicensed BYOD directly, administrators must come up with a plan. This could include banning these gadgets outright, but doing so is nearly impossible to enforce, and completely misses all of the advantages BYOD has to offer when done correctly. A better option may be to simply work with a vendor that knows how to implement a secure system to regulate these devices.
Finally, it might be important to figure out why employees were using outside tech to begin with. Are current solutions not doing what they’re supposed to? Do you need to implement training sessions? Would it be best to simply move on to a different platform? Answer these questions and you can work to find the root of the problem.