Shadow IT is likely a new term for most of us. It refers to technology, usually software or devices, introduced and used outside the awareness or control of IT management. Almost every business is going to have some shadow IT but it’s critically important that we understand the impact and risk that it exposes you to.
A common example of shadow IT is an employee installing a file sharing solution like Dropbox or Google Drive without consulting their IT department. This seemingly innocuous introduction of a commonly used software may actually have serious security and compliance implications. It may contravene data sovereignty controls by storing confidential data with a foreign-based service. We also have to consider the business now has little control over which devices this data is stored on. Is this same Dropbox account syncing to the employee’s home computer or the tablet their kids have access to? If there is a data breach, especially one containing sensitive client data, this greatly complicates being able to assess and contain the damage. What if the employee leaves the company?
The likelihood of such an event increases when we consider that these shadow IT services were not deployed with the security controls that the IT department would apply to the rest of the company’s infrastructure. For instance, ensuring multi-factor authentication is deployed throughout your business is a giant leap forward in terms of risk reduction.However, that single shadow IT file-sharing service without multi-factor authentication activated significantly chips away at those managed security controls.
Ensuring employees have the right tools to do their job does help reduce the inclination to introduce unapproved technology. Managing and maintaining an awareness of how staff may be introducing shadow IT is a critical next step in maturing your company’s data security.