Shadow IT: A Primer for Business Owners

 In Cybersecurity News

You may have heard the term shadow IT recently as you follow technology news, but it is not often defined in a clear manner. It is an important term for business owners to understand, because not to do so could invite major problems with their company’s data security.

shadow-itAccording to Gartner, “Shadow IT refers to IT devices, software and services outside the ownership or control of IT organizations.” The issue has existed for some time, but was limited in scope, taking the form of employees installing small freeware or shareware applications to help them with their work tasks. It has recently seen enormous growth due to the increased availability of cloud applications and BYOD policies. The intentions of those tech-savvy employees are often benign. They are typically trying to solve a business problem with software or services that are readily available on the internet and designed for easy adoption by consumers. The problem with these attempted solutions is that they can put a company’s data and systems at considerable risk since they are not on your IT management’s radar.

Consider the following example. A company uses a legacy project management system on the company intranet. In an attempt to control costs, the IT department has held off on updating the software and tools for the system. As a result, the process of recording changes and coordinating projects is clunky and slow. A few enterprising employees decide among themselves to begin using tools like Google Drive and Trello to collaborate and manage the projects. They succeed in speeding up the turnaround time on their projects, and have increased their productivity. However, the IT department is not aware of the employees’ work on Drive and Trello, and so they cannot adequately protect the company’s proprietary data. In the course of their file sharing, a document with sensitive information is accidentally sent to an outside party, who then leaks the information on the internet. Because the employees’ file sharing is outside the jurisdiction of the network administrators, there is nothing in place to prevent the leak.

As you can see from the example above, shadow IT can begin as an earnest attempt to help the business succeed. However, because the IT decision-makers and the line of business employees are not on the same page, the company can end up spending a lot of money in remediating the damage. Data breaches and leaks of proprietary information are on the rise. Shadow IT has the potential of contributing to a higher risk of a company’s data by bypassing the IT controls in place to protect it.

A good first step in reducing the risks of shadow IT is to strengthen the lines of communication between the IT department or IT service company and the employees and management of the business. It is best to avoid adversarial relationships where the company’s IT is seen as a roadblock to productivity, and the employees are perceived by IT management merely as a risk to be controlled. The employees should have the ability to convey their concerns about the current IT systems and suggest improvements without the fear of being scolded for it. Similarly, the IT management needs to scrutinize their own systems and practices? Are the current systems so out-of-date that they slow the progress of the company and affect the bottom line? Does IT explain not only what the security policies are, but also why they are needed for the safety and protection of the business? Fostering good communication and building a team environment instead of getting stuck in an “us vs them” mentality is key.

After good communication is established, the entire company can work with the IT management to modernize the workflow while maintaining the security of the company assets. For example, using a Dropbox for Business account instead of personal Dropbox accounts among employees allows for collaboration and ease of use, but doesn’t compromise on security since there are better controls that the IT department can utilize within the business-level product. It is possible to avoid shadow IT and have both happy, productive employees and safe and secure IT systems in place.

Leave a Comment