There are many reasons why IT has security protocols in place for what users can and cannot do in the office. For many years it was enough to tell employees what they could and could not bring into the office in regards to technology. Today things arenât as simple since many applications are based in the cloud, meaning that nothing is ever âbrought inâ at all, and these applications, while potentially very helpful, can also be very damaging when they are brought in with IT completely unaware. These applications that function outside the view of traditional IT are commonly referred to as Shadow IT.
The first thing to keep in mind about Shadow IT is that it can come from any department - Development, Accounting, Legal, and many others. The reason why these departments seek out these solutions outside the company is because they feel that the company simply canât provide the solution they need - a survey by McAfee found 80% of responders using SaaS applications that werenât blessed by IT, so this can potentially be a pretty massive number of employees. In theory, this might not sound so bad - the users have a problem that they have solved on their own. However, the big problem with shadow IT is that it is not as secure as enterprise solutions - most of these have consumer-grade security in place akin to an email account or a social media account like Facebook. Now think of the number of times you have heard someone complain of getting email or social media accounts hacked, then think of the types of files that could be compromised because someoneâs DropBox got hacked. This is precisely why Shadow IT is a problem.
Before deciding to drop the hammer, it is important to remember that there is a silver lining. As we saw above, the users have a problem that they are solving of their own accord. This means that they need this functionality, whether it is a CRM tool, the ability to work remotely, or whatever it is that they are doing. It also usually means that they are engaged with their work - why back up files to your own storage application if you arenât going to use them? This gives IT the opportunity to be a hero when they drop the hammer - yes, you canât use Google Drive in the office, but this is the application you can use for work to get you working at home.
Once you have determined the applications that are being used (a firewall with Application Control can usually generate a report for this; if one isnât in place then an employee survey might suffice), it is time to identify what IT can work with, what isnât so bad, and what needs to stop yesterday. This will vary from company to company - certain organizations donât have any issues with using LinkedIn during business hours, for example, and in many departments (ex. Sales) its makes a lot of sense for employees to be engaged with that application, even if IT canât control it. But that doesnât mean that every shadow application gets a happy ending, and the ones that donât fit in the organization need to be removed from the equation. This can be done by either by educating employees as to the why and following up with disciplinary action if they ignore this request or by blocking the application entirely. The final decision will depend on your organization, though due to how rapidly new applications can spring up in general it is better to educate on types of services that are unauthorized than blocking. In the file storage space alone there are dozens of apps, so blocking DropBox will only beget usage of OneCloud, so if you are blocking storage apps its best to inform employees they canât use them at all as a blanket.