Shadow IT: a new threat to corporate IT security?
When the subject of shadow IT (also known as rogue IT) is raised, it is often associated with a negative connotation. And with good reason, as shadow IT can have damaging consequences for businesses, particularly when it comes to the security of their information systems.
However, shadow IT also reveals unmet business needs.
That's why it's important to understand exactly what shadow IT is, the dangers of this practice and the reasons for its development. In this way, IT Departments will be able to respond appropriately and reap the benefits.
Shadow IT: definition
What is shadow IT?
Shadow IT is defined as the professional use of information and communication systems without the approval of the IT department.
This fairly broad definition encompasses a wide range of practices.
Cloud applications
Thanks to considerable development over the last few years, it's easy for employees to adopt the cloud reflex... and its bundle of applications that are, on the face of it, 'free'. Document-sharing solutions such as Google Drive, or file-transfer solutions such as Wetransfer, are particularly widespread.
Spreadsheets
In the case of spreadsheets (Excel in particular), shadow IT takes the form of the deployment of macros, a programming language. If they are developed without supervision from the IT department, there is a risk of information being lost the day the employee behind the programming leaves the company.
Personal messaging
An employee sends internal documents to his personal email inbox so that he can continue to work from home? Another example of shadow IT.
Hardware
BYOD, or Bring Your Own Device, is an increasingly widespread practice. It involves using personal equipment (computers, smartphones, tablets, USB sticks, etc.) in a professional context.
Streaming platforms
Shadow IT also manifests itself in the habit of surfing entertainment platforms during working hours. Some employees, for example, enjoy working with music, and so visit sites such as Deezer or YouTube.
Social networks
LinkedIn, and even Facebook, are regularly used in the workplace for professional exchanges... but sometimes also to share documents.
Why has it developed?
The quest for performance...
According to a study by the consultancy Frost & Sullivan, over 80% of employees admit to using IT solutions without the formal agreement of their IT department. What's more, of the twenty or so applications used in companies, seven have not been approved in advance.
The shadow IT phenomenon has grown considerably over the last decade.
However, it is not the result of ill will on the part of employees. They are motivated above all by the idea of improving efficiency, without "wasting time getting approval from the IT department". Moreover, some point the finger at processes that are too long and obsolete:
It was the cumbersome processes that had been in place and used for over 25 years that created this grey area.
Le Journal du Net
... and the development of Cloud Computing
In our increasingly digital world, the use of technology has become commonplace. And it's becoming easier to do so thanks to the development of Cloud Computing and SaaS. Google Doc, Skype, Dropbox... these are just a few examples.
Employees remain Internet users, accustomed to downloading or using applications that are, a priori, free and that instantly meet their needs.
In this context, shadow IT is more of a reflex than a desire to break the rules laid down by IT Departments.
The dangers of shadow IT
Lack of compliance
Shadow IT can lead to compliance problems with certain IT standards, such as ITIL.
But above all, this practice is not very RGPD compliant. It is difficult for companies to ensure compliance with European regulations if they lack visibility over the tools used by their teams and the data that passes through them.
IT risks
Shadow IT is thought to be responsible for a large number of cyber threats to businesses, such as computer virus attacks.
The reason for this is that it is impossible for IT Departments to put in place security measures for software or hardware of which they are unaware.
Data leakage
The use of cloud-based tools can lead to data leakage that can be extremely damaging to a company. Dropbox, for example, has already revealed that over 68 million user IDs have been stolen.
Shadow IT is therefore a gateway for ill-intentioned people to access your organisation's sensitive files.
Loss of information
Shadow IT has an impact on the standardisation and interoperability of company systems. As a result, information does not circulate properly between employees, and collaboration seems compromised.
What's more, this loss of information often occurs when an employee resigns or is made redundant. If, for example, the employee was managing customer files using software or spreadsheets unfamiliar to the IT department, precious information could be lost.
Technical and operational problems
Finally, the technologies used in shadow IT can cause operational and management problems, particularly by consuming bandwidth.
When IT departments are unaware of the extent of shadow IT in their organisation, it is difficult for them to plan ahead for capacity, upgrades, etc.
The opportunities of shadow IT?
But the risks of shadow IT need to be put into perspective, since many experts agree that there are opportunities:
- time and productivity savings for employees, and by extension for IT departments,
- simplified identification of business needs by the IT Department.
By observing the type of solutions that employees spontaneously turn to, the IT Department gleans valuable information to feed its reflections on the tools to deploy, and on the possible alternatives to propose so that the whole company gains in performance... and in security!
Shadow IT: examples of how IT Departments can improve
Differentiate between bad and 'good' shadow IT
First and foremost, you need to measure what is harmless and what is harmful to the business.
In this way, you can concentrate your efforts where the risks are greatest in terms of data protection and confidentiality.
Remain attentive and responsive to employees' needs
Good communication remains one of the best ways to improve. So be attentive to employees' needs. Only they have the business knowledge to identify the tools they need as accurately as possible. And if they don't have them, they'll find them themselves.
At the same time, remain reactive and even proactive in your efforts to improve information and communication systems. In other words, prove to your teams that the IT Department should not be seen as an obstacle to the deployment of new solutions.
Propose compliant, easy-to-use alternatives
By listening to needs, the IT Department is in a position to propose tools similar to those used in shadow IT, but which nevertheless respect the company's roadmap in terms of security and compliance.
By way of illustration, the RGPD represents an opportunity to align with the regulations while taking account of business practices. For example, do your employees usually exchange files using Wetransfer, a free application that does not comply with European regulations? Then point them in the direction of an RGPD-compliant solution like LockTransfer. It's easy to use, thanks to the possibility of integrating it into your e-mail, and provides a high level of security for shared data without being perceived as a constraint for your employees. Another advantage is that the data can be hosted either in France or on your company's servers.
By offering such alternatives, your company is taking responsibility in the face of regulatory requirements, and reducing the risks of personal data leaks when shared with your ecosystem or internally.
Set up monitoring systems
Tools can be put in place to detect the presence of shadow IT within the organisation.
These technical solutions include CASBs (Cloud Access Security Brokers). Software such as Netskope, for example, provides visibility of cloud flows, enables access to sensitive information to be monitored and supports compliance with the RGPD. It also detects risky behaviour, so that users can be offered an alternative.
Raise employee awareness and provide training
Lack of awareness of the risks posed by shadow IT remains one of the main reasons for its growth. This is borne out by the fact that, according to an Entrust Datacard study, 42% of employees say they would be more inclined to integrate new tools in a more compliant way if IT departments had a clearer policy on the subject.
So take the time to make everyone in the company aware of the dangers of this practice, as well as the rules and procedures in place.
Finally, organise training in the tools approved by the IT department. Because if employees don't understand them, they won't adopt them. And if they don't adopt them, they'll look elsewhere...
Article translated from French