Lurking in the Shadows

by Lauren Johnson 0 Comments

Roughly 71% of your employees use applications not sanctioned by your IT department (Forbes).  Every time someone decides to plug in a piece of hardware or download an application that is not supported by your internal IT team, they are fueling this concept of shadow IT. It makes sense then that the term shadow IT is defined as any hardware, application, or infrastructure that has been applied by employees without the knowledge or written approval of the enterprise IT Department.  Why?  Computer Weekly puts it simply, “When CIO’s and other IT Management are unable to meet the high demand of their users, there is a rise in unauthorized IT, such as social media applications.”

That said, let’s be fair to our friends at the enterprise; many organizations have policies and guidelines in place to help introduce new technology into the corporate environment, but most of this red tape is easily bypassed by the end user.  It’s fair to say most millennials entering the workforce are arguably your most tech-savvy employees, and it’s not uncommon for them to dabble in coding for whatever side hustle they have going on. The stronger their tech acumen, the more likely it is they’ll attempt to solve the problem on their own or figure out a way around the roadblock.  And even if we ignore the millennials, if the company is large enough, it’s very possible many of your users aren’t even aware these policies exist.  As if that weren’t enough, with more and more individuals and corporations leveraging the cloud, the harder data becomes to track and account for, jeopardizing the organization’s ability to know what they have and where it’s stored.  According to Cisco, IT departments estimate their companies are using around 51 cloud services, when in reality they’re leveraging more than 700.

For all of these reasons, we are starting to see a shift towards general acceptance of shadow IT by internal infrastructure teams, as they opt to double down on detection, policy, and training measures.  According to MyHub, more proactive IT departments are acting as internal consultants either by directly approving platforms or even by researching possible off-the-shelf solutions themselves.  By focusing on what internal IT can control, the risk shadow IT poses to corporations is mitigated.

So, what does acceptance look like though?  Microsoft does it well with their April 2017 release of 4 precautions the enterprise can put in place to help manage shadow IT:

  1. Find out what people are actually using
  2. Control Data through granular policies
  3. Protect your data at the file level
  4. Use behavioral analytics to protect apps and data

If we break these down we uncover (1) by understanding what applications employees are using, the organization stands a better chance of developing a successful strategy for dealing with those apps within the corporate infrastructure. (2) Once we have a better understanding of the environment, more granular policies can be applied, like restricting certain data types or alerts. (3) Then, when we control data at the file level, we mitigate the fact that we know data is going to be accessed through a percentage of unknown applications. (4) Finally, by implementing some form of behavioral analytics, we can identify network and user anomalies, which may be indicative of a potential data breach.

Lastly, and possibly one of the most important security measures, is to train all employees on a regular basis. When it comes to security, the human element is the biggest and most glaring red flag, but with the right training at the right intervals, you can turn people from liabilities into your strongest assets.