Ever since employees were sent home to work because of COVID-19, IT departments everywhere have been working hard to make sure that their organization’s remote workers have the tools they need to be successful at home. However, remote work and hybrid work have also caused a bit of a divide between an organization’s IT professionals, which is leading to an increase in shadow IT, or employees taking on IT-related decisions themselves.
What is Shadow IT?
According to Nigel Hawthorn, the EMEA marketing director for enterprise security software company McAfee, shadow IT is essentially any technology that has been brought in by individual users or groups and departments that hasn’t been checked and approved by the organization’s IT department.
“Perhaps it hasn’t been checked from a financial point of view, from a risk point of view, or from a security point of view,” Hawthorn says.
Examples include robust technology like videoconferencing systems or task management software for jus tone department, all the way down to individual things like a calendar, cloud backup, PDF converters and other things used daily.
“You haven’t thought as a user, ‘Has this been approved by IT? Have we checked that it’s safe and secure?’”
This can be a dangerous practice because if IT doesn’t have visibility into these new unsanctioned systems, the door is left open to the possibility of a cyber attack. To protect the organization from compromise, IT professionals need to vet and secure every piece of technology used on the company’s networks.
According to Hawthorn, IT departments need to know:
- What is it being used for?
- Where is the data going?
- What are the terms and conditions?
- Has it been integrated with the company’s single sign on service?
- If someone leaves the organization, can they still access it?
- Is someone using a password for this service that they use for corporate services?
Shadow IT, Remote & Hybrid Work and COVID-19
Due to the rapid shift to remote work, which is now turning into a hybrid work environment that prioritizes flexibility and encourages employees to work wherever they want – including the office, there are new demands for technology that will help facilitate these transformational changes to the way we work.
Last year, companies relied heavily on unified communications and videoconferencing solutions to sustain their business during uncertain economic times, and different solutions came with different security features and services.
“Without visibility, IT doesn’t have any control,” Hawthorn said.
Coupled with employees working on their home networks and out of the office away from IT professionals, this sets up a potentially dangerous environment that could open your organization up to significant cyber risk.
This could also have the opposite effect if IT departments block the use of legitimate, secure services that pushes users to more dangerous and insecure services.
For example, Dropbox is a legitimate file sharing service that according to Hawthorn, has put a lot of effort into the platform’s security and enterprise capabilities.
“By blocking it, what you are actually doing is likely pushing your users to go somewhere that is more dangerous,” Hawthorn says.
Instead, IT professionals need to come to the realization that a formerly shadow IT services may actually be the solution your employees need. However, this requires visibility into these issues to understand what’s going on and assess the risk. Then, IT can implement necessary controls on these services.
Gaining visibility into shadow IT in remote, hybrid work
Rather than coming down hard on the use of unsanctioned services, IT professionals should better understand why users are deviating from the path you set.
They might be seeking technology that your department has yet to bring to the company. Perhaps your department is falling short of meeting the needs of your organization.
To find out if that is the case, Hawthorn suggests taking this approach:
- Declaring amnesty of sorts and asking employees why they use certain unsanctioned technologies.
- Use that information to understand what the employees’ needs are.
- Create a report on what shadow IT technology is being used what the risks and benefits are of each service.
- Then, decide which services the IT department wants to support.
- Promote that newly sanctioned service
- Educate the user on the new service, explain the risks of shadow IT and explain why this technology is supported over another.
- Implement security that the vendor delivers and layer your organizations security tools on top of it.
There are also employee experience tools on the market that will give IT the insight they need about what applications are being used and which ones aren’t being used.
“It’s a way of trying to make sure that IT can gain control and allow people who work remotely to access the cloud services that they want to, but not in an unsafe manner,” Hawthorn says.
It comes down to user education
A good IT department that is in tune to the needs, concerns, demands and habits of an organization’s employees will typically be better at educating end users about IT systems they use.
“Education isn’t, ‘Watch this video once a year and answer a few questions,’” Hawthorn says. “There are lots of opportunities to educate your user as they’re working with you.”
Taking a proactive approach and using these strategies and tools to meet those demands before they turn into a cybersecurity issue will benefit everyone.
“Make it open and allow your employees to have a conversation with you,” Hawthorn says.