Bringing shadow IT out of the dark
In today’s blog post, let’s shine a light onto the subject of Shadow IT, how it is a risk to your data security, and how to address Shadow IT in your business.
What is “Shadow IT”?
In a nutshell, Shadow IT is a term describing IT solutions or systems built and/or utilized within a workspace without the oversight and explicit approval of the organization. Shadow IT and Stealth IT are essentially interchangeable terms in this sense. The only difference is that “Shadow IT” is a blanket term for software solutions which were deployed by a department other than IT or without explicit organizational approval, whereas “Stealth IT” is a subset of Shadow IT which specifically refers to solutions deployed by non-IT departments.
So what’s the problem?
Well, Shadow IT can be a source of innovation and improvements to productivity. Conversely, Shadow IT brings with it an increased risk, because it lacks the oversight of the specialized IT team. Think of Shadow IT in the same way as you would self-medication. There’s a reason you should “ask your doctor if Authanvialis is right for you”, and workplace software and hardware solutions are no different. The only difference is that instead of developing a rash you may be risking non-compliance of various legislations, and are also risking a breach of your network due to improper system management. How would your doctor know you’re taking “X” which wasn’t prescribed, unless you told them? Same goes for your IT department.
How can I address Shadow IT in my business?
Regardless of if you consider this to be the job of your CSO, CIO, CEO, the head of your IT department, or Paul from accounting, it’s critical to implement and maintain a policy that protects your interests. The trick is achieving this security goal while not acting like some sort of IT secret police. Here are some questions to consider:
- Do you have a formal policy in place for approving IT solutions and systems?
If Yes: Is it in line with your business model? Does it address the needs of your users and allow for innovative solutions to be found for business problems your users encounter?
If No: Consider a light-handed policy that encourages overseen and approved innovation. Heavy restriction tends to backfire for two reasons. The first is that users will simply not follow the approved processes because they find them to be too restrictive. The second is that such restrictions tend to impede the forward thinking that employees would otherwise put towards improving their own productivity.
- How do you manage user access and permissions?
I’ve written an entire article on this subject alone. To summarize though, if your users don’t need access or permissions for something, it’s probably better if they don’t have it.
- Does your approval system whitelist or blacklist software solutions?
Just like in everything else it’s better to be inclusive rather than exclusive. With so many products on the market it’s better and easier to build your policy around including as many options as possible. Simply put, whitelist don’t blacklist. If you provide a list of options rather than a list of restrictions your users will be happier and more easily confined to approved solutions.
- Do you have identity and access protection?
When your employees have innumerable accounts from their innumerable solutions and websites, the result is nothing less than chaotic. Password recycling, password sharing, sticky-notes with passwords on them, and Cleartext password lists can run rampant throughout your business. Secure this process by implementing a user authentication solution that offers single sign-on.
- Are there open lines of communication between your IT and non-IT staff?
Communication is always key! You will always need to gain and maintain support from your employees and their departments. Your IT department, as gatekeepers for all IT policy, is a great place to start. Gain their approval, then work through the remaining departments. Keep an ongoing dialogue with the movers and shakers in every department, and invite them to recommend or try out new solutions which are pending inclusion. Show off the issues other companies suffered, and how you prevented such issues from occurring to your own business with your new or revamped policy. If your users know why and how the policy works, they will be more likely to follow it.
Typically when you encounter instances of Shadow IT, it’s just someone with the best of intentions. Like a worker trying to improve their productivity, or a tech savvy user “improving” the security of their system. Unfortunately, the risk is rarely worth the reward. Protect your end-users from themselves and consider those questions. Here at Scorpion Software we like helping where we can. Our AuthAnvil Single Sign On is a great solution for the problem in question four, and that’s just one of the many solutions offered in our authentication suite.