Prevent shadow IT
What is shadow IT?
The term shadow IT describes a developing trend in business where employees use software
and technologies for work that are neither implemented nor approved by IT, or the compliance
team. As this practice can lead to severe security issues companies should be aware of the
risk and inform themselves on how to minimize those.
“One cannot not communicate”. Paul Watzlawick made this remark, and whilst back then
he said it in another context it can be applied in today’s business world: Today we would
say “One cannot not communicate digitally.” Most communication in companies is done
electronically. Be it e-mail, file exchange, messaging, or social platforms. In the course of time
the IT environment has become ever more complex and users expectations have increased.
From private everyday communication, staff are used to means of communication that are
setting the standards for what they want to use in their business environment. If the company
fails to offer tools that live up to these expectations the users eventually turn to an alternative
that offers them what they want and need to stay productive with the least user hurdles. This
in turn leads to the use of software that isn’t compliant to the company’s security and data
protection standards – unknown by the IT department. The result is the so called shadow IT.
How shadow IT comes about
A common scenario for the rise of shadow IT is the need to exchange files: everyday someone
in the company has to exchange large files with a colleague, customer or partners. Since the
most usual method of communication is the e-mail, it’s the natural choice to also use it for
exchanging files – as attachments to a message or just as a file transfer with a short note.
Most e-mail systems however are limited to only a few megabytes per message and are
not designed to store large amounts of data. For lack of an option and under time pressure
users turn to what they know from their private life: Public cloud solutions like Dropbox,
Google Drive, or iCloud are well known, quick to get started and enabled to quickly get the file
exchange going with external communication partners. For the user their problem is quickly
fixed. For the company it can have severe consequences.
Risks of shadow IT
When employees use unauthorized software the company immediately loses control over
files that are stored on publicly available servers outside of their own infrastructure. This can
already be an infringement of laws and regulations in many industries that handle, store, and
exchange sensitive data of customers, patients, or clients. In addition many cloud services
have only rudimentary ‘one policy for all’ security so that once an account is hacked all
accounts and data are exposed – as many data breach cases have shown in recent times.
Especially with sensitive customer data and classified corporate information these consumer
grade solutions are not suitable since the files are not necessarily stored and transferred
Understanding the user
Even though employees might be used to the convenience of file sharing tools from their
private life that doesn’t mean companies have to tolerate the unsanctioned use of them.
But instead of simply outlawing them, the leadership, in cooperation with the IT department,
should ensure that secure and controlled options are available that are still as convenient to
use as a regular e-mail or privately known tools. Most employees only turn to unauthorized
tools because there is no convenient one available – SFTP, S/MIME and the like might cover
the security requirements of a company but are outdated and just too complicated for the
average business user.
Getting a solution that combines security and convenience
The needs that lie beneath the surface are to simply exchange messages and large files in an easy way and spontaneously with anyone inside or outside the company. If this is possible with a tool that is authorized by the company and even integrated in the familiar working environment, then there is no reason for the users to employ the illegitimate software. In order to adjust their IT infrastructure to these challenges and find the right solutions companies should check the following seven points:
- Ease of use: If the software is straightforward it will gain user acceptance much faster and make implementation easier.
- Readily available: A solution that is always on-hand without entry barriers, such as installations or exchange of certificates, will increase productivity.
- Suitable for all contents: Messages and files of all sorts and sizes should be exchangeable via the tool without any problems.
- Good value: A fair pricing model and no additional cost for external users and private customers of your company make the right solutions cost efficient.
- Confidential: Transport and storage have to be encrypted.
- Secure: Interfaces for antivirus scanning, data loss prevention (DLP) and archiving should be standard. Key management should be in the hands of the company.
- Adaptable to your compliance: The right software provides comprehensive logging, options for archiving, confirmation of receipt, and by this full auditability.
The world of digital communications is fast changing and the experiences of your staff in
their home lives create expectations of how things should be at work. But, in our work
places we have many more serious issues to contend with and the demands for security in
any enterprise are far more complex than for individuals.
At the same time the reality of dealing with new and emerging threats is that IT budgets are
under pressure and most enterprises simply do not want more and more complex security
solutions, actually they want fewer. Shadow IT creates an unbalanced risk for most enterprises
because of the loss of control that it brings, and so a practical alternative is required.
Give your staff a simple and manageable alternative. So what can make more sense than to
use what you have; email, we all have it and use it, it is universal. By solving the known issues
of e-mail that lead to shadow IT you can improve the user experience for all and perhaps
along the way eliminate some legacy solutions that are still consuming your IT budgets.