There is a technology movement operating behind the scenes in companies across the world. Numerous employees have engaged in activities that many employers don’t realize are putting their businesses at risk. Though malicious intent may not have been the reason for an employee’s actions, the result is the same: the “Shadow IT” movement has gained another loyal follower.
According to Wikipedia, Shadow IT is the term used to describe technology projects implemented within an organization outside of (and likely without the knowledge of) the Information Technology (IT) department. Let’s take an example to illustrate how easily Shadow IT can begin in your workplace.
Meet Stephen, Shadow IT Convert
Stephen works in Sales for XYZ, Inc. from his home office when he is not visiting customers. Part of his responsibilities are to assist with quoting based on customer specifications, retain existing customers, update forecasts for future revenue, and to enter data in a CRM. The company requires customer specifications be stored in a specific place on their servers, and for folks like Stephen, the connection to access these files is slow, making it very time consuming to perform his job duties. He’s frustrated that his productivity isn’t what it could be because files take so long to open. Wait a minute! Stephen uses Dropbox to store his personal pictures and files. He could start using Dropbox to store all the customer specifications and have them at his fingertips wherever he may be.
And so, Stephen makes the decision to use Dropbox to store company data. With this newfound convenience, he begins to store more than just customer specifications, but all of his documents for work. He also tells the other members of the sales team, and the Shadow IT movement grows yet again. Then, after one year of service to the company, Stephen accepts a job elsewhere.
The Value of Corporate Data
The lifeblood of any company is its data. This data is used by employees daily and, depending on requirements, may need to be available to customers or vendors. Financial statements, trade secrets, contracts, customer lists, payroll info and personal healthcare information are just a few examples of what corporate data could encompass at any given company. It’s one thing to make the data available, but determining where the data is stored, how it will be accessed, how the company can avoid data loss, and implementing proper access controls are equally important components in the planning process. Business leaders must take an active role in planning, but they need input and risk quantification from both the IT and HR departments. While most would agree that data must be protected from external threats such as hackers, in the case of Shadow IT, a very real threat to company data comes from within.
Lessons Learned from Stephen
In thinking about the example scenario above, it is helpful to think about the problems this scenario contained, the risk potential for the company, and some measures that could have been taken to prevent the Shadow IT movement at XYZ, Inc. altogether.
Problem: Stephen’s inability to work efficiently was the main reason he searched for an alternate solution. We’re not told that he ever communicated this problem to his manager or to the IT department.
Risk Potential: Frustration with the tools available to do one’s job can be one of the biggest factors behind Shadow IT, causing the user to go outside acceptable channels and procedures.
- Having open lines of communication between managers and employees and with other departments is crucial to any business, and should be ingrained in the culture. Even if Stephen had told his manager of his struggles, this was a technology problem and should have been communicated to the IT department. Business leaders should build technology teams that are agile enough and receptive enough to adapt to the needs of the user base. If many employees are facing a similar technological challenge, both IT and management must be willing to try a different approach.
- Encourage employees to submit ideas for ways technology could enhance job performance and efficiencies. For example, Stephen might have made the suggestion that Sales use DropBox to boost efficiencies, and the risks as well as the benefits of using this type of technology could have been analyzed before implementation.
Problem: Stephen was using a personal cloud services account in a business environment.
Risk Potential: Business leaders may not initially see the problem here. After all, Stephen was just using a free tool at his disposal to do his job. Cloud services like Dropbox, Google Drive, Box.net, Evernote, and many others offer free personal accounts for storing data. With a personal cloud service account, the person who opened the account controls the data in it, and the cloud services vendor is providing the storage space. When corporate data is moved into a personal account such as this, the company loses control of where its data is stored, how it is secured, who has to access it, and is put at risk of violating regulatory compliance such as HIPAA, PCI, or ITAR.
- Corporate technology policies exist not to strip away employee privileges, but to protect the company and its data. Leverage handbook policies to prevent corporate use of personal cloud service accounts. Make it clear that any new technology for the business (hardware, software, etc.) requires proper vetting by management, HR, and the IT department before it can be implemented.
- Cloud services are not inherently bad. But if the right solution for the business is a cloud service such as Dropbox, pay for a business plan. These plans allow the company to control who has access to the data in the account, provide auditing of transactions in the account, and provide additional security measures such as two-factor authentication and data retention that personal plans do not.
- Constantly look at every technology implementation through the lens of regulatory compliance. Even using a service such as DropBox for Business does not imply your data meets HIPAA compliance regulations, for example. In the case of DropBox, they do provide resources to educate company leaders on how their solution can be leveraged in a HIPAA compliant way – https://www.dropbox.com/en/help/9189. Other cloud service providers have published information on whether their solutions do or do not meet compliance regulations.
Problem: Stephen’s separation from the company resulted in a corporate data leak.
Risk Potential: Human Resources is the department we normally think of being involved in conducting an employee termination. But part of the termination procedure is making sure that any and all employee access to company data is also terminated. The Dropbox account referenced in our example belonged to Stephen. Corporate IT can’t terminate access if they are not the ones controlling access levels for this account. In addition to this, if no one knew Dropbox was installed on Stephen’s computer, how can IT even try to terminate access to Dropbox?
- HR leaders must be kept aware of the different technologies used by the business so they can properly communicate and assist the IT department in both employee onboarding and termination to minimize corporate risk. Checklists and procedures for both onboarding and termination need to be reviewed and revised regularly to adapt to corporate technology changes.
- Form a diverse committee of company leaders who can work together to create an application whitelist which outlines all business software used by employees of the company.
- Implement end user security restrictions based on the principle of least privilege. Leverage software inventory and filtering technologies to detect and prevent use of applications which are not part of the corporate whitelist on corporate devices. These steps could have prevented Stephen from installing Dropbox in the first place or at least alerted someone an unauthorized application was being used.
Preventing Shadow IT is about having the technologies in place that meet the needs of the business from both a functionality and an employee efficiency standpoint. Technology policies exist to protect the company and its data from any threat (whether internal or external). The IT department cannot create these policies alone. Successful policies are made with input from those who know the technology well (IT), those who know the employees well (HR), those who know corporate compliance regulations well (QA or Risk Management), and business leaders who know the organization well (executives).
Even in smaller organizations that may not have all the departments mentioned above, the goal is the same: protect the company’s data by minimizing risk. Shadow IT can take many forms in addition to the scenario we’ve discussed. Using personal e-mail to conduct company business, downloading seemingly legitimate productivity software from a torrent site, and using a personal device in a corporate environment are just a few examples. Are your technology policies up to date? If not, perhaps it’s time for a review.
Contact the author directly at firstname.lastname@example.org.