Shadow IT Part 1: The Hidden Threat
Updated: Nov 13, 2020
According to a recent whitepaper from Traveler’s, an international insurance provider, Market pressures often lead to information technology (IT) projects that are conducted on a “Shadow” basis – out of compliance with official company policies and without oversight from the company’s corporate IT function.
The whitepaper, “Shining a Light on Shadow IT”, discusses how employees who choose to retain unauthorized partners or build software components themselves without consulting the IT team create unnecessary risks to corporate data and trade secrets. While these Shadow methods might increase project speed, the security loopholes leave your company vulnerable to hackers and criminals.
A report from Skyhigh Networks found, “The average public-sector organization now uses 742 cloud services, which is 10-20 more than what is known by the IT department.” In my opinion, this is an overwhelming number of services that are used without formal security measures. What if you were the well-meaning employee whose unofficial software caused all private customer information to be released publicly? What do you think – is it worth the risk?
Traveler’s highlights several factors that drive Shadow IT including:
Not Enough IT Staff
IT is often overlooked during hiring phases. Budgets for salaries and training are used for sales or customer support departments, leaving the IT team overworked and overwhelmed with an excess of projects. Additionally, it is extremely difficult to find experienced people in today’s job market. Many positions require specialized technology skills like programming, data center, and Cloud knowledge. Or if your company is lucky enough to find the right candidate, budget restraints might impede the ability to offer the necessary salary. Stress to fulfill demand combined with a backlogged IT team can lead companies to skirt around important security standards, leaving data vulnerable to attack and theft.
Here’s why. Employing self-taught staff (non-technical) or 3rd party developers to build and execute software deviates from company security policies. Without the direct involvement of your IT team, compliance and privacy standards decrease. These Shadow IT projects might expedite the product to the end-user but also puts the company data at risk.
Slow Management Approval
Like the frustrations felt from a busy IT team, waiting for management to approve a program slows down production. Traveler’s references a research study by the Business Performance Innovation (BPI) Network which showed, “44% of business and technology managers cited gaining consensus and support for new technology investments as one of the biggest challenges they face.” To combat this, employees turn to Shadow IT to meet demands.
What I think: There are pros and cons to this situation. First, a company needs to remain at the forefront of innovation to stay competitive, which is difficult to accomplish when every purchase must be approved by the boss. On the other hand, it is dangerous to go “behind the company’s back” to make decisions with unchecked security flaws and that might not align with the corporate strategic plan. To eliminate Shadow IT practices, management should empower their employees to make smaller, process-type decisions while providing training about IT security and risk. This middle ground reduces approval wait time and keeps data protected.
Bring Your Own Device (BYOD)
During IT security training, staff should be educated on the risks associated with intellectual property and mobile devices. Convenience and cost savings are tempting reasons for encouraging personal device use but can lead to Shadow IT practices. For example, a nurse is charting patient health records on a desktop at the hospital during her shift but decides to finish at home to avoid extra work in the morning. After transferring the documents to her personal laptop, the files are corrupted with a virus from her home network and confidential patient data is released publicly. Besides violating HIPPA compliance laws, this nurse has cost the hospital both money and their reputation. She probably loses her job as well. Updating security solutions and virus protections on mobile devices helps reduce risk, but creating informed employees drives down Shadow IT.
Shadow IT Part 2: Light in the Darkness will discuss the risks and solutions proposed in Traveler’s “Shining a Light on Shadow IT” as well as offer opinions from the Iserv team. Look for Part 2 next week!