Understanding Shadow IT
Unauthorized software can be a major challenge for network administrators and IT departments.
Business needs and technology capabilities can change quickly. When new technologies become available or customer expectations change, it can seem very attractive to simply “download an app” to solve a pressing business problem.
This practice – called shadow IT, or rogue IT – is one of the biggest challenges facing modern IT departments. A recent survey found that dealing with shadow IT takes up about 35% of the average enterprise’s IT budget. It’s a major issue for small businesses as well: more than 60% of small business users report having accessed company data from personal devices or unauthorized applications. And because small businesses often operate their IT on a shoestring, they are more vulnerable than most to shadow IT’s negative impact on workflow, communication, regulatory compliance and network security.
Technology and business are evolving fast. Organizations need a strategy to deliver the tools employees need to stay competitive, while ensuring the security and compatibility of the business’s network and systems.
Why Shadow IT?
Sometimes users choose solutions that do more harm than good.
To do their jobs effectively, workers need the right tools. They need hardware and software, and increasingly, they need access to mobile devices. Most employers provide a variety of these tools, including a desktop or laptop; or a word processing or accounting application. Mobile devices are a bit trickier; sometimes they’re owned by the employee, other times they’re provided by the employer. Either can be authorized to access licensed software and applications that have been vetted by IT staff to ensure they meet the needs of the business securely and reliably.
But increasingly, these vetted and authorized tools aren’t the only ones employees are using. In addition to the licensed software provided by the employer, they’re using other, unauthorized applications. Sometimes these are applications that make their jobs easier, such as a phone conferencing app. Other times, it might be a weather, traffic or ride share app, or a game. Sometimes it’s a new category of device, such as a wearable or even a camera, that is flying under the radar on the organization’s network.
All of these unauthorized solutions, collectively, are called Shadow IT. It’s worth noting that Shadow IT isn’t all bad. Often, employees have selected these solutions because they provide some benefits to their ability to do their jobs. Unfortunately, they can also make your organization’s data vulnerable to loss or theft. Some poorly secured Shadow IT applications might even be used to infiltrate your network to introduce malware. And in highly regulated and sensitive industries such as law, accounting or health care, Shadow IT can lead to compliance violations when data that is required to be protected, is made available to networks outside of your control.
Shadow IT creates other issues as well, such as impeding your business workflow. For instance, when employees use different phone conferencing or scheduling applications, it can transform something as simple as setting up a conference call into a logistical nightmare.
Perhaps the biggest challenge with Shadow IT, though, is the management challenge it creates for IT departments. It’s the job of your IT team – whether in-house staff or a managed service provider like Tolar Systems – to ensure the compatibility of your systems so they run efficiently, and to protect your organization’s data. In an environment where IT isn’t involved in selecting and implementing the software that your organization uses, all of these tasks are more difficult.
Unauthorized Software and Your Network
Can an organization’s data and network security really be tested by unapproved applications?
Cost used to be a prohibiting factor in the IT world, but as technology has moved from a license-based model to a cloud-based subscription model, it has made devices and software less expensive, service-based, or completely free-to-use. Most users today are also pretty tech-savvy, and are used to downloading apps on their personal devices. So, when they discover a tool that makes them more productive or makes their job easier, they don’t see the harm in loading it onto their devices.
Unfortunately, this user-implementation can have serious side effects. Shadow IT applications typically operate outside the security strategies – such as monitoring, scheduled updates and security patches – that protect most of the other applications and devices on your network. Quite simply, if the IT department doesn’t know the solution exists, it doesn’t apply routine updates and security patches. That means that these tasks fall to the users, who tend to be a bit lax about completing them – not realizing that the majority of updates and patches to applications exist for security reasons.
Because of these factors, even seemingly-secure Shadow IT applications are more vulnerable to infiltration by cyber-criminals – making Shadow IT a major concern for IT support teams everywhere.
Protect your company from Shadow IT
Tolar Systems believes that four practices can keep your organization safe from Shadow IT. We provide all of these practices as part of our Complete Care IT managed services:
- Monitor user activity – Network monitoring tracks and assesses the threat of every action taken on your network, including what your employees upload, download, and share. Tolar Systems’ Complete Care provides 24x7 network monitoring to help keep your organization and network safe. Monitoring allows our team to block risky app activity by eliminating the “share” or “upload” features within applications, unless allowed by a network administrator.
- Educate your users – Much of the issue with Shadow IT originates with users who don’t understand the harm it can do. Educating users about Shadow IT and their responsibility to protect your business’s data as well as the need to clear any outside applications with their IT administrator can help to eliminate this problem. It’s also important to keep in mind that the role of IT isn’t simply to act as a gatekeeper to keep unauthorized applications off the network. It’s also important to stay abreast of how technology is changing each individual’s role, and to integrate solutions that make sense for both users and the network.
- Research applications - Network administrators should try to determine the possible risks an application could have, and choose secure applications diligently. If there are several Shadow IT applications that fill similar roles, choosing the one that is most comprehensive and reliable can save your organization time and money.
- Consolidate applications - Nearly all businesses need solutions that allow them to draft documents, inventory equipment, and manage finances. A solution that can handle multiple issues, such as Microsoft Office 365, makes your software (and the data it produces) significantly easier to manage.
The threat of cyber-hacking is growing, even as new applications that promise to help your employees business and personal lives are released every day. If you’re like most businesses, Shadow IT is one area where your organization is increasingly vulnerable. If need help managing your organization’s systems and applications, Tolar Systems’ professional IT team can help. Contact us today.