Before we get onto how to prevent shadow IT from putting your business risk, we thought we’d take a moment to explain what it actually is. Shadow IT is basically the term used to describe IT systems and solutions that are built and utilised within an organisation, without getting the organisation’s approval. These systems and solutions are often deployed by departments other than the IT department and therefore, do not follow the same security procedures, potentially putting a business’s information at risk.
When faced with preventing shadow IT, most businesses associate it with personal devices that employees use on a ‘bring your own device’ basis. However, shadow IT can also refer to the Cloud-based applications that employees use every day like Dropbox and iCloud. Here we’ll examine the Cloud security risks of these applications and appropriate solutions for your business.
More often than not, security breaches occur as a result of employees skipping internal processes and moving corporate data to the Cloud. In the Security in the Cloud Quick Poll conducted by CSO Magazine and Symantec, 37% of respondents said they believe individual users are frequently or occasionally deploying Cloud applications and putting data in the Cloud without consulting their IT department.
Employees adopt these applications pragmatically – they have a job that needs to be done and these applications help them to do it. They’re inexpensive and can immediately meet their needs but the problem is they can negatively impact a business, as explained below.
Non-compliance – Adopting unsanctioned shadow IT applications can lead to non-compliance. According to Skyhigh Networks’ 2015 Cloud Adoption and Risk Report, there are 10,000 Cloud services available today, yet only 9.3% of them meet enterprise data, security and legal requirements.
If employees are using Cloud applications like Dropbox but haven’t checked them against your Cloud data security and regulatory compliance policy, they could be putting your company at risk of a breach, which could potentially lead to a not insignificant fine.
Sharing sensitive data – Another risk of using unsanctioned shadow IT applications is that they can reveal sensitive data to unauthorised parties. Even though most Cloud applications offer a level of security, it may not be enough to keep your sensitive data encrypted.
Damaging your reputation – If your employees are storing client data on unauthorised Cloud apps that do not appear in your policies and you experience a breach, it’s going to negatively impact your reputation. Customers aren’t going to trust you with their data and you may find it more difficult to secure new business in the future.
In order to find a solution to your shadow IT problem, you first need to understand why employees are choosing to use it. A possible reason could be that they find the applications you have permitted to be inadequate at meeting their needs or too difficult to use. In this case, you will need to think about introducing better applications for your employees, eliminating the need for them to find and use their own.
Working with your employees to choose effective Cloud solutions will enable you to keep them happy, whilst also satisfying corporate data security and compliance requirements.
It’s also worth considering that your employees may not necessarily realise they’re doing something wrong by using what we know as shadow IT. Most employees won’t have this level of IT knowledge and are therefore unlikely to realise that they are putting your corporate data at risk. Whilst you don’t expect your sales staff or customer service advisors to have the same level of knowledge as your IT department, it may be worth training them on the basics. If they are aware of the dangers of shadow IT, they are much less likely to use it.
The reality is that your staff are essentially the biggest risk of Cloud security breaches, so your focus needs to be on educating them. Creating a shadow IT policy will help to minimise the instances of users deploying data and apps in the Cloud without consulting your IT department.
If you or your systems may be at risk of shadow IT then in addition to some of the “human” solutions suggested above, we provide a range of different security, scanning and control applications to help you monitor and manage aspects of shadow IT.
For example, the GFI LanGuard application has built-in vulnerability scanning to enable you to scan not only for vulnerabilities on the known parts of your network but also for the devices and software that’s unwanted or rogue. LanGuard has the capability to silently uninstall rogue software and to detect unwanted hardware.
WhatsUp Gold and Whats Connected is a network monitoring and management toolset that, amongst other facets, can perform complete Layer 2/3 Network Discovery to identify and plot all devices on your network. This ensures you can see exactly what’s connected to your network and deal with it accordingly.
Even portable, removable devices such as hard drives, pen drives and smartphones can be a nuisance; eating up internet bandwidth; introducing unwanted software or malware; or being used to copy corporate data. GFI EndPoint Security can help you to control and manage USB ports of every device, to block all removable devices, whitelist corporate-approved devices and many other permutations to prevent unauthorised use of portable devices and the dangers they pose.
If you would like to find out more about how you can detect, monitor and manage shadow IT affecting your network then please contact David Bell on 0131 603 7912 or David.Bell@grantmcgregor.co.uk
Image credit: perspec_photo88
IT Security Services and Co-Managed IT Support from Grant McGregor Ltd