Shadow IT: Ignore At Your Own Risk
It’s one of those little secrets that nobody wants to talk about…
The term “Shadow IT” refers to apps and devices used at work that operate outside your company’s sanctioned policies and protocols.
Shadow IT takes many forms, like conversations on Facebook Messenger, Google Hangouts, Gmail or Skype. It can include software from Excel macros to cloud-based data storage apps such as Dropbox, Google Docs and Evernote, or collaboration spaces like Slack, Asana and Wrike. And then there are devices: USB sticks, smartphones, tablets and laptops within your network that you have no control over.
Robert J. Moore, CEO of RJMetrics, relates how companies like Slack and Dropbox craft their pricing models to encourage rapid proliferation. One day, a few of his engineers were using Slack, then all the engineers, then the whole rest of the company was using it. He said, “We reached a point of no return and paying for it was pretty much our only option.”
The hidden dangers of shadow IT
When users on your network adopt apps and devices outside your control, protocols aren’t followed, systems aren’t patched, devices get infected without people knowing it and data breaches happen… As a result, confidential information can be exposed, accounts taken over, websites defaced, goods and services stolen, and precious time and money lost.
Not only that, you end up with siloed information in unknown places, data compliance issues and missed opportunities for bulk pricing.
The obvious solution would be to crack down and forbid use of all but company-approved devices and apps. Unfortunately, that tends to slow things down, stifling productivity and innovation.
Bringing your shadow IT out into the light.
Obviously, burying your head in the sand won’t make the problem go away. Here’s what you can do to not only take control of the situation, but actually use it to drive innovation and agility at your company.
- Cut loose the “control” mentality. It’s no longer feasible to simply ban certain apps. If you don’t give employees the software they prefer, they may start using their own. They can easily access a vast and growing variety of apps, all without your help – or control.
- Recognize the delicate balance between risk and performance. Evaluate risk on a case-by-case basis. Then take control of high-risk situations and keep an eye on the rest.
- Foster open communication. Get employees involved in creating intuitive policies. You can turn them from your greatest risk to your greatest asset by levering their input and ownership of protective protocols. This helps everyone maintain security while keeping practical needs for performance in mind.
- Develop a fully tested plan. Even if it’s only 70% complete, a tested plan will be far more useful when the need inevitably arises than a 100% complete plan that’s not fully tested. Most managers underestimate the confusion that occurs in the first few days following a breach. Unfortunately, that confusion can create a defensive rather than constructive atmosphere centered on discovering how, when and where the breach occurred. A comprehensive incident response plan can go a long way toward achieving a speedy resolution, and keep an otherwise manageable event from turning into a full-blown business crisis.
Finding the right balance
Focusing only on security and asset protection can drag down business performance quickly. However, balancing risk with performance enables you to maximize your return from investments in detection and response. It also helps you become more adept at adjusting as the security landscape changes. By developing your organization’s ability to recognize threats and respond effectively to incidents, you can actually take risks more confidently and drive business performance to a higher level.
Nashville Computer can help you with this. Our proprietary Security Assessment helps you take the friction out of data protection. Contact us today at 615-645-1144 or [email protected] to take advantage of this offer (normally $297), FREE through the end of June, and put an end to Shadow IT in your organization finally and forever.