Prevent shadow IT

What is shadow IT?

The term shadow IT describes a developing trend in business where employees use software and technologies for work that are neither implemented nor approved by IT, or the compliance team. As this practice can lead to severe security issues companies should be aware of the risk and inform themselves on how to minimize those. “One cannot not communicate”. Paul Watzlawick made this remark, and whilst back then he said it in another context it can be applied in today’s business world: Today we would say “One cannot not communicate digitally.” Most communication in companies is done electronically. Be it e-mail, file exchange, messaging, or social platforms. In the course of time the IT environment has become ever more complex and users expectations have increased. From private everyday communication, staff are used to means of communication that are setting the standards for what they want to use in their business environment. If the company fails to offer tools that live up to these expectations the users eventually turn to an alternative that offers them what they want and need to stay productive with the least user hurdles. This in turn leads to the use of software that isn’t compliant to the company’s security and data protection standards – unknown by the IT department. The result is the so called shadow IT.  

How shadow IT comes about

A common scenario for the rise of shadow IT is the need to exchange files: everyday someone in the company has to exchange large files with a colleague, customer or partners. Since the most usual method of communication is the e-mail, it’s the natural choice to also use it for exchanging files – as attachments to a message or just as a file transfer with a short note. Most e-mail systems however are limited to only a few megabytes per message and are not designed to store large amounts of data. For lack of an option and under time pressure users turn to what they know from their private life: Public cloud solutions like Dropbox, Google Drive, or iCloud are well known, quick to get started and enabled to quickly get the file exchange going with external communication partners. For the user their problem is quickly fixed. For the company it can have severe consequences.

Risks of shadow IT

When employees use unauthorized software the company immediately loses control over files that are stored on publicly available servers outside of their own infrastructure. This can already be an infringement of laws and regulations in many industries that handle, store, and exchange sensitive data of customers, patients, or clients. In addition many cloud services have only rudimentary ‘one policy for all’ security so that once an account is hacked all accounts and data are exposed – as many data breach cases have shown in recent times. Especially with sensitive customer data and classified corporate information these consumer grade solutions are not suitable since the files are not necessarily stored and transferred encrypted.

Understanding the user

Even though employees might be used to the convenience of file sharing tools from their private life that doesn’t mean companies have to tolerate the unsanctioned use of them. But instead of simply outlawing them, the leadership, in cooperation with the IT department, should ensure that secure and controlled options are available that are still as convenient to use as a regular e-mail or privately known tools. Most employees only turn to unauthorized tools because there is no convenient one available – SFTP, S/MIME and the like might cover the security requirements of a company but are outdated and just too complicated for the average business user.

Getting a solution that combines security and convenience

The needs that lie beneath the surface are to simply exchange messages and large files in an easy way and spontaneously with anyone inside or outside the company. If this is possible with a tool that is authorized by the company and even integrated in the familiar working environment, then there is no reason for the users to employ the illegitimate software. In order to adjust their IT infrastructure to these challenges and find the right solutions companies should check the following seven points:  

• Ease of use: If the software is straightforward it will gain user acceptance much faster and make implementation easier.
• Readily available: A solution that is always on-hand without entry barriers, such as installations or exchange of certificates, will increase productivity.
• Suitable for all contents: Messages and files of all sorts and sizes should be exchangeable via the tool without any problems.
• Good value: A fair pricing model and no additional cost for external users and private customers of your company make the right solutions cost efficient.
• Confidential: Transport and storage have to be encrypted.
• Secure: Interfaces for antivirus scanning, data loss prevention (DLP) and archiving should be standard. Key management should be in the hands of the company.
• Adaptable to your compliance: The right software provides comprehensive logging, options for archiving, confirmation of receipt, and by this full auditability.

Source: Cryptshare  

Conclusion

The world of digital communications is fast changing and the experiences of your staff in their home lives create expectations of how things should be at work. But, in our work places we have many more serious issues to contend with and the demands for security in any enterprise are far more complex than for individuals. At the same time the reality of dealing with new and emerging threats is that IT budgets are under pressure and most enterprises simply do not want more and more complex security solutions, actually they want fewer. Shadow IT creates an unbalanced risk for most enterprises because of the loss of control that it brings, and so a practical alternative is required. Give your staff a simple and manageable alternative. So what can make more sense than to use what you have; email, we all have it and use it, it is universal. By solving the known issues of e-mail that lead to shadow IT you can improve the user experience for all and perhaps along the way eliminate some legacy solutions that are still consuming your IT budgets.     Applay for webinar