Identifying Shadow IT

From Clinton’s Server to Your Office: The Insidious Effects of Shadow IT

It all started with a home-based server. A home-based server that carried state secrets.

Up until the most recent occupant, few others in the position of Secretary of State had used the official email address to conduct government business. This was pretty typical of the holders of this office. However, most former Secretaries of State didn’t rely on a private server, hosted in a Chappaqua home, to conduct official government business.

In 2015, when Clinton was being investigated for a different matter, congressional investigators noticed that she had never sent any emails from her official email account. This proved to be a problem since many of the emails contained information vital to national security. While the State Department’s official server was secure, the private email and server did not have the same level of security and were vulnerable to attacks. Since then, Clinton has unwittingly become the face of Shadow IT.

Right now, most businesses probably aren’t sharing state secrets, but information that’s just as vital to the company is flowing in and out every minute, often on devices and sites that aren’t IT-approved or that IT has no knowledge of. This trend, known as shadow IT, is the use of hardware or software that is not approved by IT for company, or in Clinton’s case, government use.

Why is Shadow IT a “Thing”?

It’s not that employees want to use apps, devices or programs that bypass IT, it’s that they’re just trying to get their job done. Often an employee is given outdated tools that make certain tasks more onerous than they should be. It’s not IT’s fault either — they may have a slow approval process or don’t have it in the budget to be constantly tracking every new technology that employees could be using. For more detail, check out Curtis’s post on why employees turn to the dark side of shadow IT.

Businesses are starting to feel the affects of shadow IT. According to a study done by Cisco, IT departments think their companies are using somewhere around 51 cloud services. But when asked, respondents of Cisco’s study owned up to using more than 730 different cloud services.

IBM released a Cost of Data Breach study in 2015 that found that, all together, data breaches can cost a company an average of .8 million. Broken down, that’s about 45 to 54 per sensitive document or file.

Identifying Shadow IT

There is a Catch-22 when it comes to shadow IT. Even though IT does not permit the use of outside apps or programs, they’re still responsible for what happens when employees do go outside the business for file sharing or management. It’s up to the IT department to monitor and detect usage that may harm the company or lead to a data breach. So, what should IT departments do? Check out the suggestions below.

1. Monitor Bandwidth

With a good bandwidth monitoring tool, you should be able track more than just performance. Start looking at the traffic from devices and web applications. If you find that certain employees are hogging bandwidth more than others, even though they should technically be using the same software or tools, it’s likely they’re using outside applications or cloud providers.

On a similar note, you should measure file sizes as they leave your network. SmartStats, a visual analytics tool for certain SmartFile plans, allows you to see the sizes that are being transferred.

it dashboard

2. Auto Discovery

Auto discovery helps to find new devices that are plugged into networks by pinging them. If it’s a smartphone, it’s not so much the device that will cause the problem but the apps on the device. Who’s using an unauthorized device and for what reason?

3. URL Filtering

Cloud services use a web-based interface to access their services. Try using a URL filtering tool to track all of the major cloud service websites employees are using.

url filtering

You can start blocking sites that provide the most risk, but know that employees may just switch to using a mobile device if they can’t access it on a work computer. The more IT departments attempt to lock down usage, the more likely employees are to seek outside resources.

4. DLP and DAM

Using a cloud Data Loss Prevention (DLP) tool can help you scan inside of cloud files to find if sensitive company documents are vulnerable. Database Activity Monitoring (DAM) tools can help identify large data dumps to cloud providers that aren’t approved. Most, if not all, of these tools come with activity alerts that can prove helpful in monitoring.

5. Outsource It

If you don’t have the time or ability to track shadow IT, you can outsource it. Several companies have popped up in response to the shadow IT threat. CISCO has created a service called Cloud Consumption that tracks all cloud site usage.

IBM released the tough-sounding Cloud Security Enforcer, which detects cloud apps and shadow apps. Another product, Skyhigh, monitors usage in several places, including Salesforce, Office 365, Box, Dropbox and Google Drive.

6. Start Talking

It’s unlikely that IT will ever completely eliminate shadow IT usage. But having a good rapport with employees can be beneficial. First, find out why employees are using non-approved apps and programs. Is it cutting their work time in half? Does it have a better UI or response time? There’s most likely a good reason they’re using it.

If you take the time to explain to them why and how their usage is affecting the company, they may stop. You may also find some valuable programs that would be worth looking into. For instance, if your employees love to use cloud sharing products, find one that has the ease-of-use of a consumer cloud product with the security and protections of an enterprise-level product. Eventually, you may be able to curtail some of the effects of shadow IT and make employees happy and productive without putting your security at risk.

Want to learn more about creating workplace guidelines to help prevent shadow IT? Check out the resource below.

Dealing With Cloud Related Shadow IT?

SmartFile is a business file mangement platform that gives you more control, compliance and security.