Shadow IT is an often-hidden thorn in the side of a vast number of organizations, even extending its reach to IT workers themselves. Nearly half (40%) of IT employees admit to using a device, app or other technology without first gaining approval from their department. These employees have opened a risky can of worms; by 2020, Shadow IT will be the cause of one in three security breaches at any given company.
But to mitigate the risks associated with Shadow IT, strictly preventing the use of any and all external technologies is not the answer. Employees are happier and more productive when they’re allowed to use the tools and technology, they need to get their jobs down. IT departments must strike the correct balance between innovation and security.
The Entrust Datacard Shadow IT Report 2019, “The Upside of Shadow IT: Productivity Meets IT Security,” seeks to deliver a path to the positives behind Shadow IT. Professionals across a broad variety of industries shared the current state of Shadow IT at their organizations, as well as their thoughts on root causes, ongoing concerns and potential solutions.
Shadow IT will never be fully eradicated — but that’s not a bad thing. Instead, organizations must embrace modern, seamless security processes to enable a thriving community of tech-savvy employees. Here are the most important steps for any company concerned about Shadow IT to take right now.
1. Empower Your Employees
“The Upside of Shadow IT” found a massive benefit to allowing employees to use their preferred technologies: they are more productive (97% of respondents agree), engaged (96% agree) and loyal to the company long-term (93% agree). Employees aren’t looking to actively undermine their employers — they simply want to use their favorite tools to work, collaborate and innovate to the best of their ability.
Employees who do engage with non-approved technology on the job were most likely to use Shadow IT tools for communication and collaboration; more than two-thirds (68%) of IT employees have engaged Shadow IT for these tasks. That’s a number of employers can only expect to increase as organizations hire more remote, freelance and contract employees and face-to-face meetups become less common. So instead of punishing employees for using their preferred communication tools, organizations must find a way to balance that usage with security.
How to do it:
Instead of policing employees’ preferred digital tools, companies now can rely on software that monitors for irregular activity — no matter the platform. Instead of outdated two-factor authentication, sophisticated workplaces now rely on adaptive, behavioral-based authentication solutions that analyze risk indicators to detect suspicious activity and individuals. This process takes place in the background without disrupting employees’ regular workflow.
2. Improve Your Processes
It’s likely that everyone at your organization has an idea, large or small, for how to improve the workplace. But how often do those ideas come to fruition? In IT, it’s not very frequently. Just 12% of departments follow up on all employee requests for new technologies, while 80% of employees say their companies need to be more agile when deploying suggested tech.
What’s the best way to improve these processes? For starters, ask your employees. Just under half (42%) of respondents say a clearer policy describing how employees can request technologies would help introduce new tools in a more IT-compliant way. Surely this group has thoughts on what such a policy would include. In fact, here are some IT-backed steps supported by employees who took Entrust Datacard’s survey:
- 41% say IT should address and vet requests for technology more quickly
- 40% say IT should more proactively reach out to employees to learn about tech requests
- 24% say IT should allow employees to experiment with online/cloud-based solutions without the IT department’s approval.
How to do it:
Establish and maintain a trustworthy networking environment and implement key and certificate management services that can scale to securely allow new applications and use cases. Additionally, authentication platforms should provide employees with seamless approval for these applications. To ensure security is implemented in a consistent, cross-platform manner, cloud access security brokers (CASBs) can help. CASBs sit between your on-premise infrastructure and the cloud and act as digital police.
3. Clarify Your Shadow IT Risks
You’ll never reach a point where every employee takes all your organization’s policies seriously. But they do need to understand the true risks and consequences of shadow IT instead of rolling their eyes at your cautious approach. Nearly all employees (80%) say they’re comfortable speaking up about Shadow IT concerns. But just 26% cite the fact that Shadow IT is a big issue their company needs to know about as the reason for that comfort.
Organizations must create an environment where employees understand the financial and regulatory consequences of Shadow IT to gain full buy-in on compliance. Presently, more than one-third (37%) of employees say their organization lacks clarity around the consequences of engaging with shadow IT. Meanwhile, of the 20% of respondents who say they aren’t comfortable speaking up about shadow IT, more than one-quarter (28%) say it’s because of a lack of clear process, and 18% have previously spoken up and been ignored. Those environments must change.
How to do it:
For employees to take shadow IT policies seriously, everyone in the organization, from CEOs, CISOs and CIOs on down, must respond appropriately to concerns and create appropriate training tools. Nearly three-quarters (75%) of data breaches are financially motivated, and it just takes one unprepared employee to open your company to a major loss.
While monitoring your shadow IT isn’t free, from policing employees to recovering from a breach, it’s far less expensive in the long term than turning a blind eye. Compliance that’s secure, usable and efficient is a guaranteed investment in your company’s long-term future.
Shadow IT sounds nefarious, and it does place your company at the mercy of potential security risks. But instead of wasting resources trying to stomp out shadow IT entirely, companies can create a culture of more open communication and innovation by embracing modern security solutions.
About the Author:
Mark Ruchie is vice president and chief information security officer for Entrust Datacard, which provides identity and secure issuance technologies in 150 countries. He has more than 30 years of experience in information security, including leadership roles at Optum Technology, Allina Hospitals and Clinics, KPMG and the United States Air Force, where he helped create the first European Command Network Warfare Center. Mark also shares his expertise with Code42 as a member of their Security Advisory Board.