Attention, IT Department: You are no longer needed.
I hate to be the bearer of bad news, but your employees have declared you redundant. If the statements above are any indication, these non-IT-employees have transcended their departments to a higher plane where IT is unnecessary: a relic from a bygone era; a dinosaur waiting for the meteor to hit.
While your employees may not recognize the importance of IT, others do. This trend—where employees take IT into their own hands by using devices, apps, and software for business without IT’s approval—is called Shadow IT and the loosening of IT’s control over security threatens to topple businesses everywhere. This is especially true in the age of digital workspaces.
Isn’t it time the IT department regained control?
In the 25 or so years since businesses opened their networks to the internet, we’ve seen a transition from total security as controlled by the IT department to an employee-driven application and device free-for-all.
It would be difficult to pinpoint where exactly in this transition the Shadow IT trend started, but Phil Hagen, SANS Certified Instructor and Course Author, sees it as starting at a cultural level.
“I believe Shadow IT sprouted from what users perceived as a ‘Culture of No’ on the part of IT organizations. IT was seen as a roadblock to business, so people found a way around it.”
In the beginning, technology flowed down from businesses to consumers. After the dot-com bubble burst, IT vendors switched from targeting businesses with new technology to the growing consumer market. This trend was known as IT consumerization and it meant that consumers started to receive new technology before it hit corporations.
As consumers used new technology in their homes, they also wanted to bring it into the workplace and, eventually, the line between personal and business tech began to blur. Knowing that IT was likely to say “no” to these new apps and devices, employees brought them in anyway, neglecting to consider the security impact.
They gravitated towards removable media to obtain files, first using floppy/zip disks, then CDs, USB flash drives and cards, portable external hard drives, and consumer-grade file sharing platforms. They shared files through unencrypted email and over naked FTP servers. The cheaper and larger that storage got, the more it was accepted and used en masse.
When this new-fangled cloud technology came on the scene, first as grid and utility computing, then with Salesforce.com’s Software as a Service (SaaS) platform and onto consumer cloud storage, it became difficult for IT to keep up. The ever-changing definition of “cloud” added another layer of complexity because IT departments tended to think of the cloud as Infrastructure as a Service (IaaS) while employees saw it as SaaS. This lack of consideration for SaaS clouds may have led IT to think they didn’t have a “cloud” problem because clouds were only used for infrastructure.
Around the turn of the last century, employees had become much more computer savvy. Using personal cloud accounts like Dropbox and accessing browser-based applications instead of desktop programs became second nature. Cell phones evolved into smartphones and browser-based applications became available as mobile apps.
If IT told employees “no” when they asked for something, well, they’d simply do it themselves, using the technology and devices they already knew. Unfortunately, all of this computer savviness and knowledge didn’t extend itself to security. The technology and applications that had worked at home for employees were not made for wide-scale use at companies. The methods used to share or transfer files, including removable media, email accounts, and consumer cloud accounts may have increased efficiency but it also increased security risk.
Won’t Someone Think of the Remote Employees?
With the increase in remote work, Shadow IT will likely increase if there are no governance structures to go through.
As the global marketplace spreads employees out, IT departments have struggled to balance the needs of in-house users with all the needs of remote workers. Remote workers rely on collaboration tools like phone and video conferencing and many companies don’t place a big emphasis on support for these. Remote workers can end up patching together a solution of various apps and devices that let them be productive when IT isn’t there to help. These unauthorized collaboration methods are one of the most common ways companies are put at risk.
Removable media, arguably a little more popular in the early aughts than now, was never perfect. It was prone to crashing and easy to misplace, but as USB drives became cheaper and so ubiquitous that they were often handed out free at events, employees started using them to store both personal and professional files. Unfortunately, the autoplay feature on PCs made it easy for surreptitiously installed malware to launch automatically from a USB drive, infecting the computer it plugged into as well as those on the network.
Bring Your Own Device
Organizations that allow the practice of bring your own device (BYOD) report a variety of benefits, from higher worker productivity to increased employee satisfaction. There are also security considerations.
With the BYOD trend, employees became very comfortable with bringing in their own devices and solutions to solve problems at work without involving IT. Though most of the time employees brought in personal phones and tablets, this extended to other devices as well.
Nick Espinosa, CIO and Chief Security Fanatic at BSSi2 has seen it happen several times.
“We had a new client once who had an employee take it upon himself to edit their firewall and DNS to allow for better performance. As a result of this ‘tweak,’ the entire internal network was given public IP addresses and 100% exposed to the internet. You could literally connect to any of their printers from anywhere in the world and print to it. When we were called in to fix this mess we discovered a rogue FTP agent on their server that was uploading all of their intellectual property files to an address in China.”
Espinosa also saw another user who brought in his own wireless access point from home because he didn’t like the company’s wireless,
“This unit was actually a router that knocked out their DHCP server handing out internal addresses and started handing out addresses that were entirely unrouteable. It brought the entire company down; they probably lost a day of work.”
Email, which most office workers were accustomed to by this time—was another handy way to share files (as long as they didn’t exceed a certain size). While email has only improved security, it’s still not a perfect way to share sensitive documents.
In fact, a study done on mortgage industries (the industry that shares some of the most sensitive consumer data out there) found that they were one of the worst offenders when it came to sending unencrypted documents over email. HALOCK reported that 70% of businesses were allowing employees to send personal and financial information over unencrypted email as email attachments. It wasn’t just that these employees were sending out unencrypted emails, but that they were encouraged by managers and owners to use these channels, showing a terrible lack of insight into how secure email is.
Consumer Cloud Storage & Collaboration Tools
As consumer cloud storage and collaboration tools became popular, so did their use in the workplace. Emails and FTP servers fell back and the cloud became the best way to share documents in-house and externally. To people who didn’t understand how the cloud worked, it seemed like a productivity gift from the tech gods.
But the issues with personal cloud accounts are even worse. They are consistently pointed to as the riskiest way companies can store and share files. As Hagen points out,
“Using a file synchronization service such as Dropbox seems harmless until an attacker compromises your credentials and sets up a “live mirror” of your files. The impact is even more severe if the attacker pairs that with something like dropping stolen data in a user’s shared folder.”
A Big Game of Whack-A-Mole
Unfortunately, once users caught on to how easy it was to use these tools, tools that were outside of the oversight of IT, it was hard to stop them. Mostly because you can’t stop something you don’t know is going on. While IT did what they could, it was like a game of whack-a-mole, block off access to one application and employees would find another to use. Block all access on a desktop computer and employees would use their phones or tablets.
To IT, this was incredibly frustrating. They had approval processes for software, applications, and devices they used within their organizations. These policies were in place for a reason—they kept their organizations safe and, if regulated, compliant.
To the employee, this was also frustrating. The employee was there to get a job done and if they saw a low-cost or free application that would increase their productivity, then they’d take advantage of it. To them, the IT approval process was long and ineffective. Also, because it wasn’t really their job to consider it, employees didn’t see the risk in using unauthorized applications or cloud accounts that seemed secure enough for their personal files.
Somewhere in between trying to find a balance between the access employees wanted and the security IT required, a disconnect occurred and the problem grew out of control.
And yet, companies continued to ignore it.
Unfortunately for them, Shadow IT is not going away.
The Risk of the Cloud
83% of IT professionals reported that employees stored company data on unsanctioned cloud services. If your employees are taking IT matters into their own hands and using devices, apps, and software for business without approval, they are leaving your organization vulnerable to data breaches. The average company has 975 unknown cloud services. That’s nearly a thousand chances for your company to experience a data breach.
Shadow IT cloud usage is estimated to be 10 times the size of known cloud usage. It is clear at this point that cloud and device sprawl was out of control.
Why Companies Ignore Shadow IT
At this point, it’s not if you are affected by Shadow It, but to what extent. You probably know your company has Shadow IT issues; if you are in IT, you are positive it’s an issue and you are in the thick of it every day, dealing with the problems that crop of because of it.
Knowing this, why do companies continue to ignore Shadow IT? Espinosa sees it as something companies will keep ignoring until something serious happens.
“It’s not a reality to a business until it happens to them. Businesses balance trust in their employees versus the cost to tighten up and deeply control the network. Can a business afford an hour of downtime due to Shadow IT? A day? A week? Is it ok if sensitive data is stored online in weakened cloud solutions?”
Espinosa sees it as IT’s job to help the leaders of the company find a balance between that trust and the cost of failure.
Shadow IT is Good for Productivity and Innovation
We can’t forget that Shadow IT does have its benefits. In many cases, it’s been shown to encourage employee innovation and increase productivity. Employees would normally be praised for finding a better way to work. Work smarter, not harder, right?
By turning to personal cloud accounts, applications and devices, employees have found a better way to work. A consumer cloud account can share large files faster than breaking them up over several emails. A smartphone or personal tablet can let them keep up with client emails on the go. A note-taking app can be accessed from anywhere.
In many cases, employees had to find ways to work better since IT wasn’t giving them the tools they needed to get their jobs done. You can’t ask your team members to simply not use tools that make their lives easier. There are way too many benefits for them not to seek one out.
What’s becoming apparent in these studies is that consumer-grade collaboration apps are becoming so necessary for business operations that their removal would be crippling. But so would a data breach. IT departments must find a way to replace these tools with legitimate, easy-to-use and easy-to-implement alternatives.
Is the Reward Greater than the Risk?
Right now, the reward of increased productivity is greater than the perceived risk of a data breach. In most companies, the prevailing, if unspoken, thought seems to be “we haven’t gotten in trouble yet, so let’s keep doing it.”
Some, mainly line-of-business owners but also a handful of IT personnel, also think the relatively low costs on Shadow IT might also outweigh the financial risks of a data breach.
That might make sense until you really start to break down the financial costs at an enterprise institution. The hidden costs of unauthorized cloud services can be higher than the “visible costs,” which include things like the invoice from a cloud vendor or the charges that hit your card statement each month or year.
But what are the hidden costs? Hidden costs include:
- Ongoing security issues
- Data enhancements
- Terms and conditions review
- Operating costs
- Hardware or software integrations
- Network issues including downtime
- Data ownership talks
- Litigation concerns
- Contract negotiation and renegotiation
Enterprises are the ones who face the biggest impact here. Enterprises face challenges because there are multiple departments with budgets to deploy technology on their network.
So, what are the enterprise costs?
Imagine this scenario
You’re an organization with 2,000 employees, and your 50-person marketing department turns to Dropbox for Business. That costs about $125 per user annually, on their middle-of-the-road plan. That’s only $6,250. But considering all those other costs, you’re multiplying that number by eight. That’s a $50,000 annual investment when you consider both the visible and hidden costs.
That’s only one department, and the data is on another network without any of your IT department’s oversight, making 100% regulatory compliance nearly impossible. If 1,500 employees at that same organization used Dropbox for Business without IT’s oversight (which isn’t far-fetched given some of the numbers in this article), you’re looking at visible annual costs of $187,500; when you include hidden costs, that annual number jumps to $1,500,000. That’s a lot of zeroes for something IT doesn’t control.
Not all Shadow IT should be treated equally, but they’re the type that should be locked-down right now is file-related Shadow IT. Letting files live unmonitored in various insecure places can lead to hefty regulatory fines, data breaches, and even lawsuits. Tack those figures onto the $1.5 million we just covered and you’re easily looking at an eight-figure nightmare for your business.
Luckily for IT, those same eight-figure numbers can help when speaking to managers and executives about file-related Shadow IT. They’ll want a solution, especially with all the headaches we’ve uncovered, and we’ll get to those shortly.
It’s Not My Problem
Another reason companies ignore Shadow IT is that the cause is deep within several departments. There’s no one easy solution in a single department, which leads to everyone coming down with a case of “it’s not my problem.”
On the surface, Shadow IT looks like an IT department issue, which is why they’re always the ones blamed. But chat with any IT professional and you’ll see the frustration they feel when faced with the Shadow IT issues that plague their company. Employees and management bypass them on tech decisions and then turn back to IT when they need help fixing applications and devices that IT had never even seen, let alone installed.
To IT staffers, it’s a cultural issue that starts at the executive level. For example, upon their release, iPhones were not secure enough for business use, yet executives were the first ones asking the IT departments to get them set up. When employees see executives do it, they follow that lead-by-example mindset. According to Espinosa, “At its core, Shadow IT is the fault of the company and its IT leaders for not keeping up the network to current standards and also not listening to their employees’ needs.”
It’s also a management issue, IT can block the applications, but if an employee consistently goes around IT, it’s not IT’s job or place to reprimand the employee. Managers may want to blame IT, but it’s their job to manage their staff. If, in the end, that is not working, then it becomes an HR issue.
Hagen believes that there’s often a favorites games amongst departments. “If a sales team makes the case that IT is hindering revenue, management will side with sales.” It’s a short-sighted case of following the money, even though businesses could end up owing more later on in security lapses and reputation damage.
In order to have the most successful outcome, IT, management and HR must all work in conjunction to resolve the issues their business face.
Solving the Shadow IT Problem
There’s no denying that Shadow IT is a complex issue. And it’s one that many vendors have started to provide solutions for. Beyond a product, there are several things that businesses can start doing now to slow the spread of the shadow.
Remember that “Culture of No”? It may not exist anymore, but in employees’ minds it still does. Increasing communication and transparency are two of the most important ways to slow down the rapid growth of Shadow IT.
In order to get people to trust that the IT department will listen to them, IT staffers need to be in open communication with employees.
“Most importantly,” says Espinosa, “there has to be a process in place where employees can request whatever they need from the IT staff, beyond trouble tickets, and those requests must be responded to in a timely manner.”
He adds that employees want to work within the system but if they go through the proper channels and they are ignored, they will figure out their own solution.
A good way to find out how and what employees are doing, as well as how they feel, is to survey them. Send out a company-wide survey and make it anonymous so employees won’t feel like there will be retribution if they tell the truth. Ask them what applications or devices they’re using and why. The “why” is important — do employees feel like they can’t get their job done with the tools they have? Is there a tool out there that IT already has that the employee just doesn’t understand?
From then on, IT should have an Open Door Policy where employees feel comfortable sharing their needs as well as the outside ways they’ve found work for them better than current methods. Transparency all around will pull much of the Shadow IT behavior out of the darkness, while also preserving the innovation and productivity of employees.
Implement Security Training
People like to know why they can’t do something and quarterly or yearly training is a great place to explain exactly why. With the newly opened channels of communication, IT departments can start to share the risks that come with sharing files on personal cloud accounts and unencrypted email accounts. If IT is hosting cybersecurity training, management will need to support them by making attendance mandatory and enforcing it.
In addition, compile a policy that details what is allowed and not allowed when it comes to file sharing behavior, cloud use and device use. It should be very well known and followed by everyone in the organization (yes, even those in the C-level suites).
Centralize Ultimate Authority and Responsibility
Who’s in charge? Is it IT? Is it management? Is it the CIO? If you don’t know then it’s guaranteed that your employees don’t either. Hagen recommends having the CISO in charge and gives several tips for it:
- Have a separation between the CISO and CIO, because the two positions have competing interests
- Get the ear of the business line management to make the case for secure operating processes such as users not having administrative access and deployment of application whitelisting at scale
- Give them a budget to facilitate visibility, whitelisting, and other solutions
- Create a mission charter that allows them to perform their job in support of the company and organization
Changing a company’s management or culture style can be a challenge, but it will help the issue immensely.
Conduct Regular Audits
It seems like logical but many companies don’t conduct audits. Remaining compliant is too important not to address through regular audits.
Hagen adds that this is an important step, even though it can be difficult.
“Dealing with [Shadow IT] requires visibility and organizational discipline. Visibility means knowing each and every application that runs in your environment. If you don’t have a solid and continuous software inventory, you’re out of luck — period.”
Adopt New Technologies: The Hybrid Solution
If tools are successful with your employees and safe, then adopt them. Or find one that lets employees work the way they have been, with easy access from anywhere.
For instance, on-prem file management tools like SmartFile are engineered for IT governance and designed for employees with various access requirements. They replace legacy storage, FTP servers, and cloud accounts in your business. Even if the hard and soft costs make tools like SmartFile a five- or six-figure investment, they’re obviously worth it because they cut the 7-figure Shadow IT-related visible and hidden costs.
On-prem file management tools fall into the hybrid IT sector. Teams that have established a hybrid IT infrastructure, one that contains traditional and cloud environments, realize tremendous gains in productivity.
Organizations recognize that an on-prem tool that creates or exists within a hybrid IT environment provides value and reduces costs. How does this happen? By reducing troubleshooting tickets created, streamlining file-related workflows, eliminating training on clunky tools, and consolidating services so fewer systems are needed. Most importantly, they’re designed for the end-user but engineered for IT.
IT leaders can take this data to their colleagues across the business and explain that not only will hybrid IT solutions curtail Shadow IT, but they will reduce costs and improve productivity. From a business perspective, unauthorized tools are more costly in terms of revenue and risk and often fail to produce the results the employee is looking for. This solution should help begin institutional change.
So, What Is Your Business Going to Do?
You’ve been informed and now it’s time to take action — are you going to address Shadow IT in your company…or keep ignoring it?
You can lay the foundation today to bring IT processes out of the darkness with open communication, transparency, training and active monitoring. Additionally, by adopting tools, like a hybrid cloud, that your employees will actually use, IT and management can lessen the stranglehold that Shadow IT has on employees and companies.