Since the dawn of the cloud era, shadow IT has been an issue. Even if you don’t recognize the term, you are familiar with shadow IT, as it refers to any devices, software, or other technology accessed by members of your organization without going through the normal procurement steps.
The catch-22 of cloud solutions is that they are so simple to download and use that employees often forget that what they are doing is accessing technology without the approval of IT. They may find a project management tool or graphic design application that they like, and it simply doesn’t occur to them that they are putting the cyber security of their organization at risk.
For security teams, shadow IT can become a bit of a monster, with a depth and breadth that’s hard to quantify. Before the pandemic, many organizations were getting a handle on shadow IT by training employees and line-of-business managers about the risks of downloading technology without going through the steps of the appropriate approval process. But with remote teams, shadow IT has grown out of control.
That doesn’t mean your chief information security officer (CISO) or security teams shouldn’t try to rein in unidentified applications and devices. Here are a few ideas for getting more control over your cyber security:
- Establish inventory practices that help stay current on all of the resources contained in your IT infrastructure. You may want to invest in some inventory technology to assist you in this effort.
- Review network activities, including both inbound and outbound traffic, to check for any irregularities.
- Educate executives and line-of-business managers about the risk of shadow IT to your cyber security. They can be instrumental in both training employees and watching for the use of any unauthorized technology. You can also periodically send out organization-wide emails letting them know of suspected shadow IT activities and how they can avoid them.
- If your organization has a bring-your-own-device (BYOD) policy, consider updating it to address shadow IT.
- Develop clear policies for how shadow IT will be handled. Be sure to coordinate these policies with leadership, and consider planning a special training to address cyber security risks and the steps employees can take to protect your business organization.
- Coordinate efforts with your human resources and legal teams to establish penalties for employees engaging in shadow IT activities.
- Before an IT audit, be sure that you are up to speed on any shadow IT activities occurring in your organization, because auditors will ask about them.
There’s another approach you can take to shadow IT and cyber security that may be more comprehensive, solving not only this issue but also addressing others at the same time. Companies that adopt an information governance policy, whether it’s to meet data security compliance regulations or as part of their own policies, are able to identify where information is housed, which applications access it, and which employees access it.
This approach is a proactive way to address many of the most common cyber security issues, including shadow IT.
To learn more about the steps you can take to protect your business against shadow IT, including leveraging specific solutions for managing technology inventory, contact us at Independent Connections.