Posted on 1st February 2018
by Dan Sims
Shadow IT makes it easy to unwittingly compromise compliance – but the solution isn’t as hard as you might think

It’s late, you want to leave the office, get home, relax and have some dinner and a glass of wine before taking another look at the document you’re working on for tomorrow’s meeting. So you upload it to your Dropbox account, shut down your work PC and head off, safe in the knowledge that you’ll be able to access all the information you need on your home laptop.

Sound familiar? It’s a common scenario. But although this action is undertaken with the best of intentions, it potentially exposes your organisation to unnecessary risk because the document in your personal Dropbox is not protected by the same security controls as when it is within the corporate IT network.

Shadow IT: applications adopted without IT’s approval

This is what is referred to as Shadow IT. It’s a big issue as the world gets more mobile and more connected and people move ever more seamlessly between their work and personal lives. We’ve covered the topic before in a white paper ‘Seeing The Light’ but it’s critical – and pervasive - enough to warrant further attention.

To recap, shadow IT refers to applications that are outside the scope of traditional IT, but that employees use for work-related tasks. This means that, although they are usually legitimate, they have not been sanctioned by the IT department, so no checks have been performed that will ensure the technology is compliant and secure and does not put the organisation at risk.

The combination of mobile devices, cloud computing and an increasingly digitally native workforce (the ‘consumerisation of IT’) has created a fertile breeding ground for Shadow IT. It’s straightforward for most people to install free and low-cost apps without involving the IT department. From there it’s an easy step for documents and data to get into the wrong hands, or become infected by a virus because these apps don’t usually carry the same level of security controls as the organisation’s internal systems.

Users adopt non-compliant technology to do their job better

But this is far from a tale of rebel employees, determined to flout the corporate rules. People usually carry out these activities so they can be more productive. An organisation’s legacy technology can be slow and non-mobile friendly; there’s little incentive to use it when the task can be performed quickly and easily with the smartphone or tablet that is liked, familiar and ready and waiting on their desk.

Using Shadow IT puts the organisation at significant risk because information is handled in a non-compliant way. It’s an ironic situation, as people are potentially sabotaging their employer in the act of trying to perform better for them.

This is of key concern to companies in the financial services industry because the nature of their work requires holding sensitive information about people; if this data is leaked it’s a compliance breach.

In our experience, most users don’t fully understand the issues, focused as they are on working ‘smart’ and blissfully unaware of the implications of a security breach.

The ‘work-anywhere world’ makes it easy to perform risky actions
So they continue to use content collaboration platforms such as Dropbox, Microsoft OneDrive and Huddle so that they can work anywhere - the office, the train, a café or at home. They are more likely to be concerned about getting wifi, than whether their personal devices have the security controls that will prevent unauthorised access to confidential company information or infection by a virus that can then spread to the corporate system.

Alternatively they may email a file to their personal email address. As well as the insecure element of the personal device on which the information will be accessed, it’s also possible to send it inadvertently to the wrong person (Dan Simpson rather than Dan Sims, for example), particularly with the wide use of cached email addresses.

The list of ‘risky’ behaviours is long, but it has a key theme; it’s easy for many of us to picture ourselves doing any one of these things, or at least being tempted.

The answer? Bring IT out of the shadows and make it legitimate
Shadow IT cannot be banished as this will drive it underground and encourage it to proliferate further. Despite the complexity of the issue, the answer is relatively straightforward:

1. Knowledge encourages compliant activity

Education is key so that users fully understand the risk and what is at stake. Spelling out the potentially severe consequences of using unauthorised apps will help them to see that their employer is not being a draconian jobsworth for the sake of it.

Senior managers should also understand why people slip into using Shadow IT; by knowing what their teams need to do their jobs effectively and efficiently they can sanction technology that helps them do this.

2. Workable solutions remove temptation

In addition users need to be given workable solutions so they are not driven to go off piste and find their own.

Enterprise Mobility Management (EMM) holds the key by allowing people to use their own devices, thereby aiding productivity, in a way that doesn’t compromise security.

We’ve taken an in-depth look at the advantages of EMM in previous blog posts '4 considerations to manage mobile risk in the workplace' and ‘It’s easy to be mobile, harder to stay secure’.

Essentially it acknowledges that the business world is changing, with the emphasis on being mobile, and that new ways of working must be adopted.

3.Airwatch: designed for business life in the digital age

In the context of Shadow IT, VMware’s AirWatch (the market-leading EMM platform) is a great example of a toolset that is security focused, while enabling people to do their jobs. They can open and use documents – but only in an environment that is secure and governed by corporate security controls.

Personal devices are managed via AirWatch and so can be used to handle corporate data without it being compromised. Productivity and compliance can both be optimised.

To find out more about protecting your organisation from unnecessary risk while enabling your team to be mobile, productive and accountable, get in touch with Lanware.