Lurking in the shadows of traditional IT departments are the ‘do it yourselfers’, the ‘I don’t need them’, and the ‘we have someone for that?’ employees who shun the idea of using technology approved by their corporate IT departments. Sounds implausible, but it is a rampant issue and for a time crunched employee who needs to solve an IT issue quickly, it may be seen as a well intentioned foray into making an IT decision.
Shadow IT can be defined as technology projects, hardware, or software used in companies without the consent or knowledge of the corporate IT department. Shadow IT has existed for decades, basically since personal computers and devices existed, which brought about BYOD policies. The bigger problem with shadow IT is the unknown. Because the technology is used for work purposes but bypasses the IT department, enterprise security is at risk and IT is unable to enforce compliance and regulation policies for the protection of sensitive information.
Of the 20% of shared files
- 56 % contained PII, including social security numbers
- 29 % contained PHI
- 15 % contained payment card information*
Cloud computing has only added to the shadow IT problem. With the prevalence of cloud storage and cloud sharing applications, employees turn to these solutions to make their jobs easier, collaborate with co-workers, and have easy access to work files from any location or device. On the surface, this seems like a good thing: employees want to do their job and do it well. However, on the back-end, it raises legitimate concerns for the security of corporate data. Based on a security analysis conducted by Elastica, 20% of shared files contain compliance related data and on average, each employee stores 2,037 corporate files in the cloud, where 13% are shared publicly.* IT is losing control. Compliance and regulatory requirements are not met and corporate data is floating around in the cloud unprotected. The most simple and easy to implement solution of forbidding the use of unapproved technology has not worked and will not work. Looking at figure 3 from the Stratecast report from Frost & Sullivan**, there are many reasons why employees choose to use outside applications for work purposes, none of which include doing it out of spite for IT.
Some solutions for shadow IT include embracing the innovation and productivity it provides and creating new policies to monitor the technologies, but it is easier said then done.
Information is one of the most powerful business assets, and many security concerns of shadow IT come from the fear of getting sensitive data in the wrong hands (Figure 5). Many companies spend a lot of time and effort trying to patch holes in their security infrastructures by protecting the network perimeter along with countless applications, and mobile devices. However, with shadow IT taking such a prominent role, the uncertainty of how and where sensitive data is being used, stored, and shared, makes this job so much harder. The issue here is most standalone solutions don’t easily integrate with each other and thus are nearly impossible to manage as mandated by a holistic data security standard.
Sensitive information cannot just be monitored. It has to be protected. Applying protection to the sensitive corporate data/documents themselves is a missing puzzle piece that solves a lot of security issues associated with shadow IT. It is pertinent that the information protection travels with the documents wherever they go, allowing only authorized users to access it. By embedding user access and usage policies inside the file itself, new data-centric technologies allow sensitive documents to safely travel in and out of the enterprise, even among shadow applications and devices. If corporate data is protected implicitly and regardless of which outside technology employees use, the risks of data theft, data loss, or unauthorized access will be mitigated by proper protection protocols.
** Frost & Sullivan The Hidden Truth Behind Shadow IT Nov 2013