When I was a teenager growing up in Rio de Janeiro, my dad was always worried about my safety. His way of protecting me in our dangerous city was by saying “no” every time I asked to go out to the mall or to a party with my friends. As most teenagers, I found ways to sneak out of the house and enjoy life a bit while my dad was at work. Sure, he caught me red-handed a couple of times, but I carried on. I wasn’t doing anything wrong, I thought, and if I told him what I was up to, he’d find a way to stop me.
I know you must be shaking your head to my “sneaky teenager” years or remembering your own, but this behaviour also happens in many companies, in the constant battle between users and their IT departments. This is how Shadow IT starts.
Concerned about network security, many IT and security professionals will limit what users can do and what devices and applications they can use. Some companies go as far as to forbid what has now become common practices, such as BYOD or remote working.
Users, on the other hand, want to carry on using their personal devices and favourite applications for work. They want to connect from the airport, or from a café while waiting to meet a customer. They are not trying to cause any damage; on the contrary, they are just trying to be more productive. They could be accessing anything from harmless applications to more complex ones, involving data sharing, for example. With the increase of cloud applications available, that seems to be the most prevalent type of shadow solutions these days.
There are two parts to the Shadow IT challenge: one is figuring out what is going on in your network right now and the other is changing your employees’ behaviours, so they don’t go behind your back installing things they were not supposed to.
The first part is a technology problem. Companies can invest in visibility and control tools, which can help them discover what their employees are doing. Solutions such as Cloudlock, for example, can help companies uncover risky applications connected to their networks.
The second part of the challenge can be even more difficult. How can a company convince users that the risks they are introducing could be greater than the benefits of using a particular application? Visibility and control will definitely help, but it doesn’t solve the root cause. There is definitely a security culture element in there: users need training but they also need simplicity. If it is too difficult, they may be tempted to bypass the rules.
First of all, IT should not see users as a security threat. Instead of penalising users or forbidding risky behaviours, they should make an effort to simplify the processes for when a user wants to adopt a new technology. Who should users go to for permission and help, for example? Is there a stack of approved solutions available?
Companies should start by analysing the shadow applications they discover, speaking to their users, understanding why users were resorting to them and offer secure alternatives they can adopt instead. Companies should not only make policies clear and stop bad behaviours but also look for ways to securely enable users to become more productive. Would you like to work from the airport? Sure, but connect to VPN. Would you like to use your own phone to read corporate emails? Fine, as long as you follow some rules.
By offering secure and viable solutions to user challenges, the incidence of shadow IT should reduce over time. It is tough, but it can be done.
This blog tells the experience of a CTO with Shadow IT and how he tackled it: https://blogs.cisco.com/cloud/qa-1-cto-sheds-light-on-his-battle-with-shadow-it