Shadow IT, what is it and how to avoid its pitfalls
Shadow IT is a new term for most of us. It refers to technology, usually software or devices, introduced and used outside the awareness or control of IT management. Almost every business is going to have some shadow IT but it is critically important that we understand the impact and risk that it exposes you to.
A common example of shadow IT is when an employee installs a file sharing solution like Dropbox or Google Drive without consulting their IT department.
This seemingly innocuous introduction of a commonly used software product may have serious security and compliance implications. This form of shadow IT may contravene data sovereignty controls by storing confidential data with a foreign-based service. We also must consider that the business now has little control over which devices this data is stored on.
Is this same Dropbox account syncing to the employee’s home computer or the tablet their kids have access to? If there is a data breach, especially one containing sensitive client data, this complicates being able to assess and contain the damage. What if the employee leaves the company?
The likelihood of such an event happening increases when we consider that these shadow IT services were not deployed with the security controls that the IT department would. These would not necessarily apply to the rest of the company’s infrastructure. For instance, ensuring multi-factor authentication is deployed throughout your business is a giant leap forward in terms of risk reduction. However, that single shadow IT file-sharing service that is used without multi-factor authentication activated, significantly chips away at those managed security controls.
When employees and departments deploy SaaS applications, such as Microsoft 365, it can also reduce the burden on IT help desks to take calls. However, while IT is no longer responsible for the physical infrastructure or even managing applications, it is still responsible for ensuring security and compliance. This puts the IT department in the position of saying “no” to employees when hoping to use cloud apps they use to do their jobs. Block access to a cloud app using the company’s firewall or web proxy seems draconian, however, for every app that is blocked, there’s evidence employees are finding other, not well known and potentially high-risk services to use in its place. It is a juggling act.
Shadow IT is an invitation to hackers everywhere. Using unauthorized devices and software without IT’s approval carries a substantial number of risks that no one should take lightly.
Ensuring employees have the right tools to do their job does help reduce the inclination to introduce unapproved technology. Managing and maintaining an awareness of how staff may be introducing shadow IT is a critical next step in maturing your company’s data security.
Unauthorized access to data
A primary audit control issue is ensuring that only authorized users can access IT systems and resources. Many different controls and technologies are available to ensure compliance with regulations and standards. However, if unauthorized access into systems is occurring, the risks of data loss, damage to applications, theft of information, introduction of malware occur.
Compliance issues
Regulated organizations such as financial institutions that are under close government scrutiny, like ministries of health, utility companies, cannot afford to disrupt their compliance with regulations. Shadow IT activities can inadvertently create problems — such as system failures — that result in out-of-compliance conditions. In situations where compliance is regularly monitored and reported, shadow IT activities could create noncompliant conditions that, if discovered, could result in fines and even litigation.
Cybersecurity risks
The most important IT operations issue today is dealing with cybersecurity breaches. Again, as shadow IT activities may involve using unauthorized systems, security gaps such as breaks in firewalls could occur. Internal shadow IT activities could compromise existing security software such as virus detection or security equipment such as intrusion detection systems.
What is a virtual chief information officer?
A virtual chief information officer (vCIO) is a dedicated resource who serves as a business liaison and advisor who also happens to have a broad base of technical knowledge. Their primary role is to formulate strategic IT goals for your company, and then manage an IT strategy and budget that meets you IT and business goals.
Smart Dolphins also employs the valuable virtual IT manager (vITM), the technical eyes and ears of your business for the vCIO. While all 20-plus technical people contribute to the well being of all Smart Dolphins clients, it is the vCIO, vITM and our help desk coordinator who are at the centre of the relations.
Smart Dolphins clients consider the POD to be a partner as if the company is a natural extension of their business. Their own IT department.
Technology is complex and it changes fast.
Most companies have a challenging time keeping up with their core business challenges, let alone managing their technology well. Even small IT teams may be overwhelmed trying to keep systems and operations running, let alone do any strategic planning.
Many companies are stuck continuing to maintain outdated technology that is hindering performance. The goal is to leverage technology to increase revenue and productivity.
About Smart Dolphins IT Solutions
Smart Dolphins IT Solutions is a managed service provider (MSP) who has ranked globally out of tens of thousands of other MSP. The company is a multi-time Great Place to Work Canada award winner.
With two-dozen technical dolphins, and a focus on education and training, everything the company does is built on the foundation of planning. The proactive teams assigned to each client smartly craft well-researched IT roadmaps with a long, medium, short, and immediate-term perspective on guiding the relationship and each client’s specific IT future.
Over the past two decades, Smart Dolphins has been helping small and mid-size organizations drive efficiency and productivity by ensuring that their systems are fast, secure, and reliable. During this time, the company has fine-tuned a special process of auditing and aligning clients with world-class standards and best practices.