How much is Shadow IT exposing your organisation?
Shadow IT is a growing problem, according to research conducted by Cisco an alarming 90% of CIOs worldwide are being by-passed by IT purchases and downloads, for systems which end up being embedded into organisational operations, unbeknown to IT.
What is Shadow IT?
Sounds a little ominous doesn’t it? Shadow IT is hardware or software that is predominately cloud-based and used by staff without IT’s knowledge, with no testing or approval given by IT or compliance.
It’s been described as an ‘invisible’ risk lurking in every organisation, with Gartner predicting it will be the result of 1 in 3 security breaches by 2020.
Everyday examples of Shadow IT include routine based activity across an organisation:
• Sharing files internally and externally to suppliers and customers via file sharing platforms (common culprits include OneDrive, Dropbox or Google Drive)
• Using personal accounts i.e. Skype for conference calls
• Employees using online tools from a previous job
• The Sales and Marketing team using an online CRM solution for campaign activity
With so many of these ‘normal’ activities taking place during most people’s working days it’s no surprise that CIO’s and IT teams are unaware of all these applications running in the background. Each of these applications can cause a significant risk to an organisation, by accidentally disclosing sensitive data, or hackers gaining access to steal data. Many of these applications that have software clients are also not updated regularly after installation, which represents a potential risk from malware.
“Only 7% of lost organisational data is actively hacked because an enormous 81% of data is stolen or carelessly disclosed.”
Cisco’s research revealed that CIO’s could be underestimating shadow applications running by a factor of 14, to quantify that in real numbers, that’s a CIO being aware of 51 cloud services running when in reality it’s closer to 730.
When did Shadow IT first become a problem?
An ‘I want it now’ culture was born, with the rise of easy to download cloud-based applications. This allowed employees to gain access to these applications through an accessible web interface with no involvement from IT. Before that, employees would have to wait patiently for IT to approve hardware and software, after testing for potential risks for someone to gain access to an organisations network and data. This caused considerable end user frustration and an unwanted impact on IT projects pushing forward.
With instant access to un-tested (or poorly configured) cloud-based applications, this distant bottle neck has been long forgotten but with it, it has led to more than just a headache for IT departments.
That’s not the only Shadow IT problem
A misaligned board only fuels the overall negative impact Shadow IT has on an organisation. If IT doesn’t have ‘a seat at the boardroom table’ then risk isn’t being taken seriously, and IT strategy is seen as an afterthought. This can lead to clunky, over engineered IT infrastructures and systems that become difficult to change and upgrade when necessary, stopping IT projects in their tracks.
Thankfully, it’s becoming more common for IT to have its rightful place on the Board. As more and more organisations are understand how IT underpins every facet of the business, from processes, to storing and backing up data. With the need for greater analytical reporting and integration, IT has all of this and more to manage, as well as the demand for easy accessibility protected by robust data security procedures.
This ever-increasing strain on IT from the rest of the business can only lead to incidents of data loss, security breaches and infrastructure failures. These events can no longer be confined to one area of the business, instead they now have a serious impact on the wider organisation in terms of reputational damage, escalating costs and operational down time.
How can you manage Shadow IT?
It can be a daunting prospect to try to manage this so called ‘invisible’ problem, but it need not be if you can address the root cause of the issue. By implementing the following controls, and getting the necessary help you can help to you regain power:
Understand the problem
Monitor who is doing what and remove the ability for individuals to download applications without following the appropriate business procedures. Put in place appropriate web filtering to prevent access to SaaS platforms that could be used to step outside of normal practice.
Discover and manage risk
The key to any approach is to understand the risk. How well does your IT platform cater to the current (and potentially future) needs of the business? The two main drives of Shadow IT are ‘need’ and ‘ability’: For example, file sharing between organisations (need) and using an application from a previous post to create network diagrams (ability). Understanding the needs of the business will allow the IT team to provide the appropriate solutions to negate the need for shadow IT, whilst having the appropriate controls to detect and prevent the use of unapproved platforms and applications will greatly reduce the ‘ability’ for staff to make use of shadow IT.
Lock-down any immediate risk
If something breaks company policy, then it must be blocked, and further action taken where deemed necessary. Security and acceptable use policies are a must, so employees are aware of the risks and consequences associated with their actions.
Make employees aware
Sufficient notice should be given to users of unapproved IT applications. Allow employees to justify their use and if the risk outweighs the benefit then shut down unapproved applications after sufficient warning is given. If the business decision is to continue with an application, ensure that someone at the appropriate level accepts the risk in doing so, and that the application is appropriately vetted by the security and compliance team prior to continuing.
Policies and training
You can’t expect all employees to be aware of the risk they pose to the business through their use of shadow IT applications. Setting out clear policies that are mandatory to read and providing context in the form of training can help minimise risk and provide a greater understanding that their actions have consequences.
It’s important to continually monitor the state of your network, in particular any abnormal traffic or unknown applications. Employees can also forget, so reminders could be a simple way to mitigate risk as well as trying to prioritise new application authorisations in a timely manner.
Need help controlling Shadow IT?
At Optimising IT we are continually helping our customers to proactively monitor their networks. Armed with industry leading tools, we’re able to examine and alert organisations to suspicious traffic and locate devices and applications that need locking down.
[vc_btn title=”Network Monitoring Quote” style=”flat” color=”default” link=”url:https%3A%2F%2Fwww.optimisingit.co.uk%2Fcontact%2F|title:Contact||” el_class=”sourButton”]
A co-sourced approach:
We can also take the strain from internal IT teams with a co-source offering, that enables IT teams to focus on driving business critical projects forward by resolving incidents and requests reported by end users. Thus, freeing up your team to deal with and ultimately maintain control over shadow IT. Discover the meaningful results we have achieved for our customers with our co-sourced Managed Service.
Training also plays an important part in helping to maintain control of shadow IT and is something we have successfully implemented for our customers, wrapped up in our half-day Cyber-security awareness workshop for employees. We also offer a similar workshop for Business Leaders, helping to align your board to understand the impact a data breach can have across the business.
For more information on the other challenges CIOs and IT typically face, be sure to read our guidance on IT, Cyber and Compliance.
Contact our expert team to discuss your individual requirements by calling 0330 403 0011 or by filling out our contact form and we’ll be happy to discuss your individual requirements with you.