An Examination of Shadow IT

First and foremost, firms must establish acceptable use and other policies, and make employees aware of them. When writing organizational policy, steps must be taken to ensure policies can be clearly understood by all employees, even those with little technical background or with limited permissions to corporate systems and data (Silic et al., 2014).  With regard to Shadow IT, “white lists” of approved or supported software and services can be a helpful tool to inform users of what tools they should be using (McCarthy, as cited in Noyes, 2007).

Security policies should go beyond users’ behavior and actions, and encompass product acquisition. Firms should require that technology purchases be approved by a IT and purchasing areas before being made. This will process can help prevent reduce expenses of redundant systems, and help drive an inventory of in-use systems. Additionally, if the risk presented by a requested purchase is deemed to be outside of the firm’s risk appetite, it can be stopped before money is spent, vulnerabilities are put in place, and data are lost. Similar policies for the use of corporate credit cards and employee reimbursement may also help reduce the levels of spending on Shadow IT.

Some managers or administrators may be quick to rely on technical controls such as network traffic monitoring and removal of most users’ administrative privileges to enforce policy, especially in light of a 2013 McAfee survey which showed that some employees regularly and knowingly bypass policies even when they know the actions taken will put the company at risk (Silic et al., 2014). This temptation is also amplified as employees’ technical skills grow (Silic et al., 2014; Walters, 2013). Decision makers should exercise care when using these tactics as strict controls could become counterproductive; “such policies could radically reduce the convenience of useful information sources and communication platforms, and could make employees less productive in the long run” (Noyes, 2007). While technical controls are a necessary and important part of any firm’s security posture, they must be alloyed with interpersonal communication and awareness training. That is to say, that is to say, no amount of hardware or software solve HR and training problems.

While they shouldn’t be used as the only means to reduce the risk of Shadow IT and Shadow Data, technical controls and systems can be valuable tools for detection and investigation. Firms need to be able to inventory, discover, and classify cloud apps, and identify how users authenticate to view the contents of these apps (Sanders, as cited in Betts, 2016). These data can help steer the direction of future legitimate purchases, find the areas that may present undue risk to organizations, and be used to make training and awareness sessions more effective.

As firms collect data about system use, baseline usage patterns should be established so anomalous usage can be detected and appropriately handled (Betts, 2016). For example, if a firm and its employees are based only in one city or region, systems could be configured to alert on or outright block activity from outside of this geo-fenced area. Utilities and some built-in settings in cloud-based platforms are available to help control oversharing as well by limiting who may access files via Internet accessible links (Betts, 2016). To help mitigate the risk presented by employees’ devices, mobile device management systems may be implemented on both corporate and BYOD-designated devices to ensure patches are installed and data may be removed in the event of theft.

Even if a firm has security measures in place to help mitigate risks, employees must follow policies put in place, lest those policies lose efficacy (Puhakainen & Siponen, 2010, as cited in Silic et al., 2014). Training employees about proper practices and building security awareness is an important step to mitigating the level of risk attributable to insider threats (Cilic et al., 2014). Informing employees of the services offered by firms’ IT departments may also be a method by which companies drive users towards proper channels of support and away from some Shadow IT software such as rogue desktop utilities and the accompanying risks of Trojan applications (Silic et al., 2014). When conducting awareness training, practitioners should take into account the “metaphor of the ledger” and other motivations that drive the use of Shadow IT (Silic et al., 2017).

Access to systems must be configured appropriately using the principle of least privilege, in which each user or account is provided access only to data necessary to perform their job duties. Taking steps to prevent broadly sharing files can not only help prevent accidental disclosure of regulated data such as medical records, but also help mitigate the amount of data a compromised user account can access. As employees or contractors join and separate from the organization, effective identity management practices must be followed (Betts, 2016). Former staff members’ accounts and access to virtual and physical systems should be disabled or removed as soon as possible (Betts, 2016). The use of single-sign-on systems and federated credentials can help simply the employee separation process; if an employee only needs to maintain a single set of credentials (i.e. a single username and password) to access information resources, then that access may be removed quickly (Betts, 2016).

Some firms embrace the use of Shadow IT and praise it as a way to improve employees’ efficiency (Silic, 2014). These firms, which are typically small- or medium-sized, will either place trust in users to find the appropriate solutions to meet their needs, or, in a more moderate fashion, discuss with end users the Shadow IT they selected and find ways to implement safely implement it Silic, 2014). This approach may not be for all organizations, especially those that regularly handle regulated data (Walters, 2013).

Conclusion

The scope of Shadow IT, its costs, and associated risks have grown significantly since the late 1990s. Because software, hardware, and cloud-based services have become increasingly accessible, affordable, and powerful for both consumer and enterprise uses, it is now easier than ever for even well-meaning insiders to put firms’ and customers’ data in harm’s way. While the future forms of Shadow IT may not yet be defined, one thing is clear: firms must dedicate enough of their resources to security and IT services departments to help remove the temptation to use these products. These expenditures must also be paired with pro-security changes to firms’ culture, starting at the top of the organizational chart. All employees must make security part of their daily duties and balance the need to get things done with the responsibility the have to protect the information with which they have been entrusted.

Thoughts?