A company’s greatest security risk may not be external or even malicious. It could simply be an employee using “shadow IT” and thereby exploiting a security loophole.
In short, shadow IT refers to IT support provided by non-IT department employees or to employees who deploy solutions without the permission of the IT department. This can be as simple as employees finding a backdoor in the system that allows them to access Facebook. At its worst, shadow IT is employees using alternative untested software to complete work-related tasks.
While this isn’t always exclusively negative, it can have devastating impacts if the employee isn’t extensively knowledgeable in the software and/or the security put into place by the IT department.
According to a study by CIO INSIGHT that surveyed 300 IT workers and 300 additional line-of-business workers throughout the United States, United Kingdom, Australia and New Zealand, “more than 80 percent of both groups admit to using SaaS apps at work without IT’s approval.”
A number this high suggests that most if not all employees are engaging in some type of shadow IT while at work. This points to the incredibly high need to put protection methods into place to help mitigate the risks associated with shadow IT.
A second survey by OneLogin showed startlingly high statistics, even when the statistic of 80 percent was further broken down. Found here, it suggested that nearly 71 percent of organizations reported the use of shadow IT within their companies. Within that group, nearly 72 percent reported that they allowed cloud app access to people outside of the company. A further 43 percent reported dangerous security practices, including leaving passwords on digital or real sticky notes and/or spreadsheet programs like Google Drive.
Nearly 35 percent of the people surveyed reported allowing others to use their passwords for IT software and applications, and 20 percent indicated that they could still log in to company systems long after they had left the company.
How is shadow IT problematic and damaging companies?
Shadow IT can break down security barriers or lead to data leaks that IT may be unable to contain, especially if security systems are modified in a way that changes how they inherently work. It can lead to poor resource balancing or even systems inefficiency, simply because the non-IT employee isn’t able to see the bigger picture. The employees are working “blind” in a sense, without the knowledge needed to understand why security systems are in place. Further, it can lead to:
- Malware, spyware and viruses
- Intrusion on the network
- Software or hardware conflicts
- Data loss
- Firewall failures
- Other negative impacts
Shadow IT is damaging businesses in four distinct ways:
- It interferes with honest communication and feedback
- It provides the potential for data leaks
- It can result in poor efficiency or performance
- It reduces the potential for real innovation
When employees engage in shadow IT, they don’t leave room for innovative processes to be evaluated as safe or unsafe. This can create an environment where security events occur and may even result in crucial data loss or privacy issues.
Further, it encourages a work environment where secrets are kept about employee-IT interaction and limits the ability of the IT team to judge resource allotment. This can lead to unbalanced resources across the entire company.
Why Employees Engage in Shadow IT?
According to McAfee, employees ignore the risks of shadow IT for a few very specific reasons. These reasons typically include:
- Employees lack an understanding of SaaS policies
- Employees feel as if the policies hinder, rather than help, the company or job processes
- Employees feel that processes to gain access to new systems are too narrow
- Employees don’t believe that security is necessary
- Employees feel that the approved software is less efficient/less appropriate than unapproved software
- Restrictions placed on company-provided software result in reduced efficiency
- Employees aren’t able to access outside systems
- Staff believe that they are responsible enough to manage security on their own by simply taking care
The fact that so many employees believe that they are responsible enough or able to manage security on their own is almost always incorrect; unless these employees have extensive knowledge in the SaaS industry, their perceptions about the industry are most likely not robust enough to hold up to scrutiny.
How to “reinvent” shadow IT for good
While true shadow IT is almost never a positive thing, it can be “reinvented” to allow employees to have a say in the creation of new systems or processes. Although some believe that shadow IT is only used to circumvent work systems for pleasure, such as in the use of Facebook or Twitter, this is generally not the case. Studies show that a higher number of employees used tools like Google Drive or outside email because they were experiencing frustrations with work-related systems.
This shows that employees are often attempting to improve a process rather than exploit or circumvent a security measure. If this desire for innovation were harnessed through open communication, it could lead to advancements throughout companies.
Here are some tips on how to reinvent shadow IT.
1. Make space for open communication
By making space for communication to be open and honest between the IT department and frontline staff, loopholes and security issues can be pointed out much more quickly instead of being hidden in order to preserve the exploit. Further, frontline staff often identifies issues with current processes quickly, as they use these systems and processes each and every day.
It’s important for companies to make space for employees to bring potentially beneficial software to their attention; once this has occurred, the software can be evaluated. If put into place, security measures can be altered to allow use of the software without the dangers associated with unapproved use.
Likewise, this will encourage employees to bring to light security loopholes and exploits, which will make the infrastructure more secure.
2. Use newer security software that works around shadow IT
Security software is evolving to match the needs of a more demanding employee base. With the creation of platforms like Elastica, companies can monitor for shadow IT and intervene when necessary. They can also adapt to better systems when they are used, finding ways to work them into current processes more quickly. This reduces the need for extensive shadow IT in the first place. Like other security software programs that have attempted to mitigate shadow IT, Elastica’s main purpose is monitoring network activity and enforcing security policies on the fly.
Skyhigh is a second security software program for cloud-based apps and software, which claims to help manage the risk of shadow IT. According to the YouTube video found here, Skyhigh allows IT professionals and CEOs the ability to monitor every aspect of cloud-based usage, ensuring that they have the ability to mitigate risks quickly.
While Skyhigh and Elastica act more like the police of the data that is transmitted to and from a company, there are other solutions that set up barriers at each end. These software solutions prevent applications from running based on whitelisting; Arellia offers one such product. Or the software may simply prevent the data from entering or leaving based on security clearance; Intel and Symantec are the market leaders in this technology.
3. Educate employees
There are many ways to try to prevent shadow IT, but all of them are not perfect. The most effective means of combatting this crippling problem could simply be education. By educating employees to the dangers of seemingly harmless loopholes, a company can hope to avoid someone making a costly mistake.
Mike Templeman is the CEO of Foxtail Marketing, a B2B SaaS digital marketing firm. He loves writing about tech and software. You can follow him on Twitter.