Shadow IT: a new threat to corporate IT security?
When the subject of shadow IT (also known as rogue IT) is raised, it is often associated with a negative connotation. And with good reason, as shadow IT can have harmful consequences for companies, particularly in terms of the security of their information systems.
However, shadow IT also reveals unmet business needs.
That's why it's important to understand exactly what shadow IT is, and to be aware of its dangers and the reasons behind its development. In this way, IT Departments will be able to respond appropriately and reap the benefits.
Shadow IT: definition
What is shadow IT?
Shadow IT is defined as the use of information and communication systems for business purposes, without the approval of the IT department.
This broad definition encompasses a wide range of practices.
Cloud applications
Thanks to considerable development over the last few years, it's easy for employees to adopt the cloud reflex... and its bundle of a priori "free" applications. Document-sharing solutions such as Google Drive, or file-transfer solutions such as Wetransfer, are particularly widespread.
Spreadsheets
In the case of spreadsheets (Excel in particular), shadow IT translates into the deployment of macros, a programming language. If they are developed without supervision by the IT department, there is a risk of losing information the day the employee behind the programming leaves the company.
Personal messaging
Is an employee sending internal documents to his or her personal mailbox so that he or she can continue working at home? Another example of shadow IT.
Hardware
BYOD, or Bring Your Own Device, is an increasingly widespread practice. It involves using personal equipment (computers, smartphones, tablets, USB sticks, etc.) in a professional context.
Streaming platforms
Shadow IT also manifests itself in the habit of surfing entertainment platforms during working hours. Some employees, for example, enjoy working with music, and therefore visit sites such as Deezer or YouTube.
Social networks
LinkedIn, and even Facebook, are regularly used in the workplace for professional exchanges... but sometimes also to share documents.
Why has it become so popular?
Search for performance...
According to a study by consulting firm Frost & Sullivan, over 80% of employees admit to using IT solutions without the formal approval of their IT department. What's more, of the twenty or so applications used in the company, seven have not been approved in advance.
The shadow IT phenomenon has grown considerably over the last decade.
However, it is not the result of ill-will on the part of employees. They are motivated above all by the idea of increasing efficiency, without "wasting time getting approval from IT". Some, moreover, point the finger at processes that are too long and obsolete:
It was these cumbersome processes, put in place and used for over 25 years, that created this grey area.
Le Journal du Net
... and the development of Cloud Computing
In our increasingly digitalized world, the use of technology has become commonplace. And it's easy to do so, thanks to the development of Cloud Computing and SaaS. Google Doc, Skype, Dropbox... these are just a few examples.
Employees remain Internet users, accustomed to downloading or using applications that are a priori free, and that instantly meet their needs.
In this context, shadow IT is more a reflex than a desire to transgress the rules laid down by IT departments.
The dangers of shadow IT
Lack of compliance
Shadow IT can lead to compliance problems with certain IT standards, such as ITIL.
But above all, this practice is not very RGPD compliant. Indeed, it's difficult for the company to ensure compliance with European regulations if it lacks visibility over the tools used by teams and the data that passes through them.
IT risks
Shadow IT is said to be responsible for a significant number of cyberthreats to businesses, such as computer virus attacks.
This is because it is impossible for CIOs to implement security measures for software or hardware of which they are unaware.
Data leakage
The use of cloud-based tools can lead to data leakage that is highly damaging to the company. Dropbox, for example, has already revealed the theft of over 68 million user IDs.
Shadow IT is therefore a gateway to your organization's sensitive files for ill-intentioned individuals.
Loss of information
Shadow IT affects the standardization and interoperability of corporate systems. As a result, information doesn't circulate properly between employees, and collaboration seems compromised.
What's more, this loss of information often occurs when an employee resigns or is made redundant. If, for example, the latter was managing customer files from software or spreadsheets unfamiliar to the IT department, precious information could be lost.
Technical and operational problems
Finally, the technologies used in shadow IT can cause operational and management problems, particularly by consuming bandwidth.
When IT departments are unaware of the extent of shadow IT in their organization, it is difficult for them to plan capacity, upgrades, etc., in advance.
The opportunities of shadow IT?
But the risks of shadow IT need to be put into perspective, as many experts agree that there are opportunities:
- time and productivity savings for employees, and by extension for IT departments,
- simplified identification of business needs by the IT department.
By observing which solutions employees spontaneously turn to, the IT department gleans valuable information to feed its reflections on the tools to deploy, and on the possible alternatives to propose so that the whole company gains in performance... and in security!
Shadow IT: examples of how IT departments can improve
Differentiate between bad and "good" shadow IT
First and foremost, you need to measure what is harmless and what is harmful to your business.
This way, you can concentrate your efforts where the risks are greatest in terms of data protection and confidentiality.
Remain attentive and responsive to employee needs
Good communication is still one of the best ways to improve. Be attentive to employees' needs. Only they have the business knowledge to identify the tools they need. And if they don't have it, they'll find it for themselves.
At the same time, remain reactive, even proactive, in your efforts to improve information and communication systems. In other words, prove to your teams that the IT Department should not be seen as an obstacle to the deployment of new solutions.
Propose compliant, easy-to-use alternatives
By listening to needs, the IT department can offer tools that are similar to those used in shadow IT, but which nevertheless respect the company's security and compliance roadmap .
By way of illustration, the RGPD represents an opportunity to align with regulations while considering business uses. For example, are your employees accustomed to exchanging files using Wetransfer, a free application that doesn't comply with European regulations? Point them in the direction of an RGPD-compliant solution like LockTransfer. Easy to use thanks to the possibility of integrating it into your e-mail, it provides a high level of security for shared data without being perceived as a constraint for your employees. Another advantage is data hosting, since data can be stored in France or on your company's servers.
By offering such alternatives, your company takes responsibility in the face of regulatory requirements, and reduces the risk of personal data leaks when shared with your ecosystem or internally.
Set up monitoring systems
Tools can be put in place to detect the presence of shadow IT within the organization.
Technical solutions include CASBs (Cloud Access Security Brokers). Software such as Netskope, for example, offers visibility over cloud flows, enables access to sensitive information to be monitored, and supports RGPD compliance. It also detects risky behavior, so as to offer users an alternative.
Raise employee awareness and provide training
Lack of awareness of the risks caused by shadow IT remains one of the main reasons for its development. In fact, according to an Entrust Datacard study, 42% of employees say they would be more inclined to integrate new tools in a more compliant way if CIO policy on the subject were clearer.
So take the time to make the whole company aware not only of the dangers of this practice, but also of the rules and procedures in place.
Finally, organize training courses on the tools approved by the IT department. Because if employees don't understand them, they won't adopt them. And if they don't adopt them, they'll go elsewhere...
Article translated from French