The objective of this article is to bring more focus and attention to Shadow IT and how it might apply to your organization. Hopefully, it will bring a better understanding and strategic methodology to addressing the security concerns which potentially surround Shadow IT activity operating within your organization.
Let us begin now with information about Shadow IT, the Pro’s and Con’s of Shadow IT and what benchmarks have been already set to remediate this potential threat to the IT security levels within your organization.
An Introduction to Shadow It
Shadow IT – is a term that refers to information technology applications within an organization that are managed and utilized without the knowledge of that organization’s IT department. Shadow IT can also be known by the terms “Stealth IT” or “Client IT”.
The risk challenge: Without controls on which IT applications or services are used, who uses them, and what limits are placed on customer data, Shadow IT can be a security disaster waiting to happen.
Shadow IT has become more prevalent in many companies as employees have increasingly turned to business-focused applications in the cloud to increase productivity.
Shadow IT can include hardware, software, web services or cloud applications that employees and/or independent contractors turn to without authorization to accomplish their tasks and projects.
Examples of such un-official IT applications can include: US flash drives, Gmail or other online email services, data storage devices, Google Docs or other online document sharing applications, Skype or other online VOIP software and self-developed Excel spreadsheets and macros.
The bottom line is that when your organization’s employees and/or independent contractors utilize or adopt cloud services on their own, or seek more productive or innovative computer applications which are outside of the controls of their organization’s IT, then there is a strong likely hood where it makes it a more difficult situation than it might already be for Information Technology and Security Control teams to do their job(s).
Finally, given the rise of Shadow IT usage (Particularly within Cloud Computing) along with the growing rise of BYOD policies now being implemented within organizations, Shadow IT appears to be here to stay.
Greater efficiencies and freedom for employees to do their job rank as primary reasons many employees and independent contractors choose to use Shadow IT, and, the hidden assumption is often that sanctioned platforms by their internal IT departments are simply not getting the job done.
The Cons of Shadow IT
One of the major concerns about Shadow IT is security.
In today’s Internet of Things (IoT) world, many of us are now more connected than ever before … which allows for opportunities for security threats and data breaches.
What happens if a motivated salesperson decides to download his company’s customer data to his personal mobile device…then the phone is lost or stolen? Can your organization afford that liability?
If left unmanaged or uncontrolled, Shadow IT activities can lead to the sharing of information with the wrong people with disastrous consequences – especially those organizations governed by stringent data security laws and regulations.
Another concern is that while employees or independent contractors may be using Shadow IT systems because they can handle discrete tasks well, that does not mean necessarily that they will be compatible with other core applications.
And, there is this critical fact that cybersecurity related incidents caused by Shadow IT can be incredibly expensive and brand damaging for organizations.
Shadow IT is here to stay. Growing and maintaining high levels of trust and partnership can be the most practical and effective way to make a difference between organizations where employees use Shadow IT to work around the IT departments and organizations where they work together with their IT departments to deliver products and services to their customer markets on time and on budget.
If the information in this article is meaningful to your experiences, please pass it along to members of your IT department, cybersecurity and risk management teams and business continuity team members within your organization.
Of course any comments would be appreciated as well……