Shadow IT: The Risks and Possible Benefits
Technopedia defines shadow IT as a term ‘used to describe IT solutions and systems created and applied inside companies and organizations without their authorization’. These solutions and systems can range from hardware such as a USB drive to cloud-based storage systems, and clearly pose a threat to a company’s cybersecurity and their GDPR compliance.
Unauthorised data storage - If a user stores company data on unauthorised systems, such as a USB stick, or a cloud-based server such as GoogleDrive, it means that this data cannot be secured and monitored as it would be on company approved systems that are known to the IT provider. For this reason, it poses a threat to the company’s GDPR compliance because you have less visibility and control over where the data is being stored. On a piece of hardware such as a USB drive, it also poses the risk that this data could be lost or exposed if the device went missing.
BYOD - We previously wrote a post all about BYOD and the threat it poses to GDPR compliance, this is now considered to come under the umbrella of shadow IT as these devices that are brought in are outside of the authorisation of the company’s IT provider.
Convenience IT - This can be considered as small changes a user makes to increase their individual ease of use, this can be by googling ways to make their machine run faster and following instructions to make changes to the anti-virus or firewall that will make the server run at a higher speed. This puts the company’s security at risk because this software is in place for a reason, and even though anti-virus software can dramatically reduce the performance of your desktop, it is necessary to ensure a level of cybersecurity.
Some have argued that shadow IT can have some valuable benefits to employers, and even have gone as far as to say it should be embraced (See this article written by CIO.com). This is because it can be seen as a learning curve, the security of the company is made stronger by learning from the mistakes of shadow IT. For example, an increase of applications being downloaded, you can block .exe files as a global policy so that any executable files cannot be opened and thus no unauthorised applications can be downloaded. If employees are storing files on USB drives you can block USB access on your computers. Every incident of shadow IT that is encountered can serve to make your company strong and more cyber-secure.
The most important thing, however, is to have an open communication between your IT provider, management and individual users. If users have ideas to improve efficiency and productivity either on an individual level or a company-wide level. This way your company receives new ideas to consider, and reports from the ‘front line’ of the business but without the inconvenience of a security breach.
Let us know if you've had any experiences with shadow IT in your company. Did it help or hinder your security in the long run? It seems to be very progressive that the short-term mistakes of an employee can be seen in such a positive light, rather than a negative threat to the company and a case of throwing the blame onto that employee.