Business Network Security: How to Stop Shadow IT
These days, network and data security is a primary concern for every business. Many organizations spend a great deal of time and money securing their digital infrastructures against online threats. Unfortunately, there is a new threat looming, caused by the growth of a phenomenon known in technology circles as shadow IT. It refers to the use of software and hardware that is not officially sanctioned on the business network.
It is a problem that almost every business has, whether they are aware of it or not. Some businesses do not detect it until it is too late; often after a data breach they did not see coming. One survey indicated that 80% of employees admitted to using unsanctioned online software at work.
The best solution to the problem is for business leaders to develop a strategy to prevent shadow IT and gain visibility into where and how their employees use company data. Here is how they can do that.
1. Begin with a Survey
One of the biggest problems with shadow IT within a business is that it is difficult to quantify. It is not as though most employees will simply volunteer a list of the unsanctioned software they are using. For one thing, many of them may have used some online tool or platform a single time and forgotten about it almost immediately.
The truth is, there is very little a business can do about situations like that. So, it is much better to focus on unsanctioned software and platforms that employees use regularly. A good place to start is to survey all employees and ask them directly. The survey should convey that there will not be any penalty for the use of unsanctioned software. It should also make it clear that the business is just as interested in the why, as it is in the what of the situation.
In other words, it is useful for the business to figure out why employees find it necessary to use the software and platforms they are using. For one thing, it will illuminate deficiencies in the business’s technology stack. For another, it might lead the business to a useful technology solution it had not considered before.
2. Employee Education
The next thing to do is create an employee education program that will educate staff on business security best practices and explain why the use of unsanctioned software and platforms is a problem. Most times, employees who resort to outside software usage, simply do not know that what they are doing poses a risk to the business. Therefore, it is important to highlight how unauthorized IT solutions can compromise the business’ cybersecurity.
A great place to begin is by addressing one of the most common threats posed by shadow IT: reused passwords. It is critical to let employees know that recycling passwords while working with business data on an unauthorized platform is unacceptable. If the platform gets hacked, the attacker might find data that identifies the company alongside credentials that would enable a direct attack.
It is also important to train employees on the business’ acceptable data use policy. Spelling out how and where employees can work with business data will help them to avoid running afoul of the policy. That, almost more than anything else, will work to prevent shadow IT within an organization.
3. Deploy Shadow IT Discovery Technology
Whether intentionally or not, even the best-trained employees might still use unsanctioned hardware, software, or cloud solutions. That is why it is a good idea for businesses to deploy shadow IT discovery technology. This refers to defensive infrastructure that can sniff out rogue devices on the company network, the installation or use of unauthorized software on company machines, and employee use of unsanctioned software platforms online.
Most shadow IT discovery solutions include hardware provisioning features that make it impossible for an employee to connect unauthorized devices to a business network. They also include endpoint monitoring solutions that can detect software installations and the use of removable media. That makes it substantially harder for any unknown software to enter the company’s defensive perimeter.
Finally, most shadow IT discovery products also contain a combination of a cloud access security broker (CASB) system and a cloud app discovery function. The former helps to manage access to authorized cloud services and enforces business security policies in the cloud. The latter can detect connections to other cloud services that are not on the business’ approved list. That way, the business can intervene before an employee does anything that might pose a risk to the business.
4. Create an IT Solution Approval Workflow
Lastly, business leaders should solve the unspoken problem that most times leads to the growth of shadow IT in the workplace: antiquated or slow technology adoption. All too often, employees resort to the use of shadow IT because they do not have the right tools to get their job done. This is sometimes the result of a lack of technology agility due to organizational inertia which keeps the business moored to older solutions.
Instead, businesses should provide a specific and responsive workflow for employees to suggest new tools and get them approved. Since the overarching goal of dealing with shadow IT is to get it out of the shadows, this is an essential step. If employees know their employer will work with them to accommodate their technology preferences, they will become allies in the fight against shadow IT.
In general, the approval workflow should include the following steps:
- Classifying the risk level of the requested data use and platform
- Addressing identified security concerns, if possible
- Codifying the specific approved uses of a given tool
- The setup and activation of a usage oversight procedure
At the end of the process, if the risk is not extreme or is manageable, and the employee has a good reason for the request, approval should follow. In the end, this will help the business to be more agile with its technology and help employees to get more work done more efficiently. It is a true win-win proposition.
Turning Shadow IT into an Asset
In the end, businesses which take action to prevent shadow IT sprawl and create incentives for employees to work within the system, leave themselves in a far stronger cybersecurity position. They will have less to fear from unknown security threats and have happier employees, too. Both are outcomes that any business should pursue to the greatest extent possible.
For businesses looking to get on the path to taming their shadow IT, Outsource IT can help. Our IT security experts employ a systemic approach to the problem. We also provide end to end business IT security solutions for our clients in a variety of industries. Contact an Outsource IT account manager today to learn more.