The dangers of shadow IT and DIY attitudes

“Just speak to IT, they’ll get to the bottom of it”. This used to be the sentence you’d hear batted around offices, factory floors and shop units any time that technology was causing a headache. But, with digital transformation entering its advanced stages and digital natives gaining a foothold in businesses, employees often feel confident and competent enough to take matters into their own hands.
This all sounds rather sinister. But in reality, we’re referring to a colleague downloading a grammar-checking plugin to their desktop, installing an instant messaging app they’ve heard will streamline project management, or making a few quick tweaks to ERP settings in the hope it’ll run a bit quicker. Although these intentions are harmless, the self-service preference isn’t without serious risk.
Why? Well, these DIY tech attempts – known as shadow IT – leave the teams responsible for implementing, monitoring and managing IT in the dark about the size and security of technology estates. Far from an irritation for those keeping track, the sprawl of software can create major security gaps and enough problems to bring companies to their knees.
Some examples of shadow IT which may seem like standard practice are:
- WhatsApp for business communications
- Trello for project management
- Slack for colleague instant messaging
- Dropbox for document sharing
- Skype for video meetings
And the challenge isn’t to be underestimated. A Cisco study found that in the companies surveyed, the amount of cloud services in use was 25 times higher than the figure IT departments were aware of. McAfee data also suggests that 80% of workers have admitted to using cloud-based software applications at work without IT department approval. How can the experts take care of what they don’t know exists? IT teams will also struggle to meet company data security regulations and honour their responsibility to the GDPR.
A further report predicts that during 2020, a third of commercial cyberattacks will hit shadow IT resources. Yet most businesses don’t have unified systems for monitoring the expansion of shadow IT and cloud-based activity often fails to trigger intrusion attack mechanisms.
With the rise of cloud, accessible SaaS apps and users feeling more comfortable with IT, it’s easier than ever to download that handy piece of software. But these users often aren’t giving due consideration to the risks and consequences of side-stepping the IT professionals whose job it is to ensure IT works and is secure.
The most significant risks of shadow IT are:
- Non-compliance fines. Unmanaged data and applications make it difficult to meet security standards as demanded by regulations such as GDRP and PCI-DSS, including backup and encryption
- Data loss. The IT department can’t back up data and applications that they’re unaware of, which poses a serious threat to business continuity
- Data breaches. Without knowing who has access to what, a leak or breach could easily occur and go undetected for some time. This could open a business up to legal challenges and fines
- Cybersecurity vulnerability. Specific security measures are needed for certain software, not to mention regular updates, patching and monitoring. Cybercriminals target typical shadow IT resources as weak spots, knowing that they often won’t be maintained to the same robust standards as IT department-approved apps.
When staff go it alone, they may also not apply the same scrutiny to downloads and installations. Malware attached to fake software could infect systems, or an unsecure public cloud could be selected for processing business-critical data.
But why does shadow IT occur in the first place? It may be that staff feel it’s quicker to just get the job done themselves, aren’t aware of policies or simply don’t appreciate the gravity of risk associated with straying into the IT department’s realm. These are our tips for controlling shadow IT in any business.
- Educate. We don’t just mean dropping an email around the office once every quarter. Get the board involved and work shadow IT education into regular technology and cybersecurity training. This is the only way that users will understand the risks of shadow IT.
- Review your approval process. It’s always worthwhile reviewing your current software approval process to see where the process could be streamlined. This shouldn’t be a replacement for education but showing that you’re listening to your non-IT colleagues can go a long way.
- Communicate. Make sure that policies and guidelines are clear, easy to access and continually communicated in a manner that’s free from jargon.
Shadow IT presents the dual risk of internal data breaches and increased vulnerability to internal cyberattack. Therefore, it’s important to be acutely aware of the risks and with a little care and engagement with your colleagues, you can pull IT into the light and never worry about dark corners again. For help consolidating your IT estate and refreshing your shadow IT training, contact Sentis on 0345 862 2930.