If an employee fouls out, they probably didn’t have bad intentions. They wanted to get a job done and made a mistake. Employers are often less innocent. Allowing Shadow IT to proliferate is a gamble whose risks outweigh the savings of doing nothing. As Shadow IT grows, there is a good chance that they will lose the gamble – it’s just a matter of time. To prevent an impending security issue, there are a variety of strategies, each with cost and benefit tradeoffs:
IT executives generally prefer holistic security solutions that solve a wide range of needs. But security startups are now able to quickly develop solutions that close critical security gaps when more specific needs arise: Shadow IT is a perfect example of a specific problem that requires a specific solution.
Imagine walking through the front door of your office. On your left, a robot looks like it is trying to crack a lock on a file cabinet. You say hello to the new hire who already knows the answer to all your website security questions. She’s walking towards you carrying a large stack of folders labelled “Confidential” in big red letters. You hold the door open for her. Everyone is carrying on like nothing is unusual.
Despite extensive use of annoyingly long formatted paper and manilla folders, the technologies that came after Gutenberg are crucial in most legal workflows. According to the Business of Law Blog, legal is often ahead of other industries in tech adoption:
Controlling Shadow IT was much easier in the past: you could just block ports and call it a day. But that shotgun approach to blocking cloud apps is no longer a practical answer. You can’t support business needs without cloud services. Strategically deploying control is crucial, but enforcing new policies can be problematic with employees who’ve come to expect a fast and easy workflow using cloud apps.
IT leaders are bombarded with marketing messages regarding security and Shadow IT. All those messages blend together into white noise at some point. Then one day, you get an email that stands out from the rest: A friend, who’s also a client, forwards you a marketing email from one of your former employees. Turns out, that former employee left with all your account information and is leveraging it for their startup. And this is just the tip of the iceberg. Shadow IT rears its ugly head and damage control ensues.
You might be disheartened to learn that your corporate network isn’t fully protected even if your company spent millions of dollars on security infrastructure like firewalls, next-gen firewalls, secure web gateways, web application firewalls, vulnerability scanners and endpoint security. You can blame the unsanctioned use of Cloud Apps (Shadow IT) for yet another network risk.
Most CIOs don’t have to look very far to see that unsanctioned cloud use is a problem. In “The Hidden Truth behind Shadow IT” by McAfee, IT personnel use unsanctioned cloud applications more than other employees, so even the people who should know better are part of the “Shadow IT” problem. If a CISO doesn’t have a Shadow IT plan in place, then Shadow IT is definitely a problem.