Many IT leaders expected that shadow IT usage would decrease as their organisations’ cloud strategies became more sophisticated. This was a good thing, they thought, because the ominously named practice of using unapproved applications posed a real threat to cybersecurity: Gartner predicted way back in 2016 that one third of successful enterprise attacks would be on shadow IT resources.
In fact, the opposite has happened. New waves of cloud technology have enabled new business processes, and Covid-19 has further amplified the use of unsanctioned cloud services as employees scramble to test new solutions and solve challenges amid unique working conditions. While these assets have allowed businesses to innovate, Gartner and those IT leaders weren’t wrong about shadow IT’s inherent riskiness.
Shadow IT was and continues to be a double-edged sword for businesses. In 2021, its potential risks and rewards will only grow in scale. The benefits of shadow IT for business can’t be understated, but the person wielding it must know how to use it safely. That’s where IT can help.
Shadow IT boosts business intelligence agility – at the cost of asset vulnerability
Some organisations have attempted to weed out the use of shadow IT by tightening up governance, but this strategy isn’t usually effective. There’s a reason shadow IT inevitably crops up in enterprises: it helps people do their jobs.
But people aren’t just using shadow IT to chat with coworkers or better manage their time. Communication and workflow applications like Slack and Microsoft Teams have become commonplace, which has given IT teams more visibility into their usage. These kinds of applications also aren’t likely a major threat to enterprise security anymore – they are too well understood throughout the enterprise and by individual end users.
Employees are now turning to unsanctioned cloud services to rev up business intelligence (BI). Third-party data visualisation and SaaS platforms have become popular among individuals who need insights, fast. If an employee has to make a report for a deal happening in 48 hours, they don’t want to wait on the BI or specialist team to learn how to use the platform provided by corporate IT. If they can find outside applications to run the numbers for them, or produce the visual asset they need, they’ll use that instead.
The transfer of sensitive corporate data into third-party platforms, especially in remote environments, is where the security risks of shadow IT gets serious. Recent data shows that 47% of security professionals believe home workers using shadow IT solutions is a major problem. But that doesn’t mean you should ban shadow activity on company assets completely. Your business might move a lot slower if you do.
Proactively educate employees about shadow IT risks
The best way to reap the rewards of shadow IT and prevent security disasters is to thoroughly educate users about the risks involved. That means you’ll need to talk to your employees early and often.
Draw on existing models for employee cybersecurity education to build a framework for shadow IT use best practices. Here are some protocols you should communicate to your employees:
- How to practice data hygiene
- How to watch for suspicious activity or security red flags
- How to report a data breach to IT
- How to move data from unauthorised platforms back into authorised platforms
Don’t wait for an annual employee cybersecurity training to reinforce these best practices. The very nature of shadow IT – and their increasing threat vectors – are fluid. Risks will evolve as new platforms enter the scene. Check in quarterly to evaluate employees’ technology pain points and whether they’ve used new cloud services to address them.
Create a culture of trust and transparency in your IT department
In addition to implementing a proactive education strategy, IT departments and security and compliance team members should let their peers know that they’re here to help. During your education initiative, position IT as a trusted advisor rather than a watchdog. This is a small but critical transition.
If something goes wrong, an employee’s first instinct is probably not to ask IT out of fear they’ll get in trouble. This may only exacerbate the problem, as the employee won’t know how to properly mitigate the risk.
When the IT department is part of the conversation from the start, however, they can help employees better vet, assess, and manage new platforms. A resource is only “shadow” if IT doesn’t know about it. When IT is part of the selection process, it’s the best of both worlds: more technology agility and improved IT visibility and governance.
Shadow IT gives you a real-time view of what your business needs
One critical advantage of visibility into shadow IT activity is that it gives IT leaders a real-time window into what their organisation’s employees actually need to do their job.
Too often, strategic IT plans are disconnected from the reality of day-to-day work throughout the enterprise. Rather than thinking of shadow IT as something to control, think of it as a source for insights: shadow IT is how your employees indirectly tell you which tools they need to move your business forward.
Your employees are already leveraging shadow IT to drive innovation and agility. To help them do so securely without doing any damage, you just need to train them.
Photo by Bernard Hermant on Unsplash
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.