6 Steps Your Organization Must Take to Manage Your “Shadow IT” Risk
The term “Shadow IT’ refers to apps and devices used as work that operate outside your company’s sanctioned policies and protocols.
Shadow IT takes many forms, like conversations on Facebook Messenger, Google Hangouts, Gmail or Skype. It can include software from Excel macros to cloud-bases storage apps such as Dropbox, Google Docs and Evernote. Or collaboration spaces like Slack, Asana and Wrike. And then there are devices: ISB sticks, smartphones, tablets and laptops within your network that you have no control over.
Robert J. Moore, CEO of RJMetrics, relates how companies like Slack and Dropbox craft their pricing models to encourage rapid proliferation. One day, a few of his engineers were using Slack, then all the engineers, then the whole rest of the company was using it. “We’ve reached a point of no return and paying for it was pretty much our only option.”
What are the hidden dangers of shadow IT?
When users on your network adopt apps and devices outside your control, protocols aren’t followed, systems aren’t patched, devices get infected without people knowing it and data breaches happen…As a result, confidential information can be exposed, accounts taken over, websites defaced, goods and services stolen, and precious time and money lost.
Not only that, you end up with siloed information in unknown places, data compliance and missed opportunities for bulk pricing.
The obvious solution would be to crack down and forbid use of all but company-approved devices and apps. Unfortunately, that tends to slow things down, stifling productivity and innovation.
So how can you protect your business from the risks of Shadow IT?
- First, find the Shadow IT in your organization. Start with surveying your employees. Ask them what software and services they use regularly. You’d be surprised how many unauthorized tools you’ll uncover, simply because the employees don’t realize they’re practicing Shadow IT. Second, track network traffic. Using the right scanning techniques will help you identify unauthorized software and systems that are using your network.
- Cut loose the “control” mentality. It’s no longer feasible to simply ban certain apps. If you don’t give employees the software they prefer, they just start using their own. They can easily access a vast and growing variety of apps, all without your help-or control.
- Recognize the delicate balance between risk and performance. Evaluate risk on a case by case basis. Then take control of high-risk situations and keep an eye on the rest.
- Foster open communication. Get employees involved in creating intuitive policies. You can turn them from your greatest risk to your greatest asset by leveraging their input and ownership of protective protocols. This helps maintain security while keeping practical needs for performance in mind.
- Develop a fully tested plan. Even if it’s only 70% complete, a tested plan will be far more useful when the need inevitably arises than a 100% complete plan that’s not fully tested. Most managers underestimate the confusion that occurs in the first few days following a breach. Unfortunately, that confusion can create a defensive rather than constructive atmosphere centered on discovering how, when and where the breach occurred. A comprehensive incident response plan can go a long way toward achieving a speedy resolution, and keep an otherwise manageable event from turning into a full-blown business crisis.
- Find the right balance. Focusing only on security and asset protection can drag down business performance quickly. However, balancing risk with performance enables you to maximize your return from investments in detection and response. It also helps you become more adept at adjusting as the security landscape changes. By developing your organization’s ability to recognize threats and respond effectively to incidents, you can actually take risks more confidently and drive business performance to a higher level.