Back to news

Shining a Light in the Face of Shadow IT

October 16, 2018    |    Cyber Security    |    Lauren Elkins

Shadow IT lingers in your company, affecting the security of your data and brand. This term refers to technology used within the company that wasn’t authorized. Perhaps departments were frustrated with the wait-time for an IT project to get approved. Or maybe some tech-savvy users decided to put together some of their own technology to automate a part of their process without going through the proper channels. It’s technology used within the business without the knowledge of the IT department.

With the rise of cloud software, shadow IT has increased rapidly. However, its recognition has not grown accordingly.

Employees don’t typically create shadow IT for nefarious purposes. It’s often beneficial for businesses, helping users be more productive. Now that cloud-based software is such high quality, there are incredible productivity tools available whether it’s file-sharing, social media, or collaboration.

It happens within many companies all of the time. Often, departments have created systems that become critical to them by the time the formal organization reveals the extent of the iceberg. If you discover the shadow IT after a business dependency develops, then it turns into a question not of how to get rid of it but how to start supporting it.

How can you manage shadow IT? Make the following strategies a part of your organization’s security-centric:

1. Embrace the technology. Analyze why employees began using it. Create process maps to get a good picture of data movement. What are the benefits of the IT in use? Why is it better than what was previously available? Can we correctly incorporate it into our approved IT?

2. Promote safer services. If employees have set up personal file sharing accounts with a site, can you redirect them to a corporate file-sharing app in the cloud that can become part of your new data structure? Rather than shutting access down (which often leads employees to search out other, possibly riskier, alternatives), can you provide a security-centric choice that offers the same benefits?

3. Reward employees for reporting red flags. We’ve found this strategy works best for getting your workforce involved in a corporate culture of cyber security. Rather than reprimanding what looks like rogue employees, find a way that works for your company to reward those who bring security concerns to the attention of the IT team. Then work together to create the solution.

Managing shadow IT correctly is part of creating a culture of cyber security. For additional ideas on how to do this, we have seven strategies you can implement from another recent blog post. Since OpenVPN’s cyber hygiene study, which revealed a lot of bad cyber security habits by employees, we’ve been focusing on spreading the word on how important this is!

Finally, follow the advice from OpenVPN CEO Francis Dinha on educating your staff: “Create a process everyone knows how to follow, including a two-factor authentication system, strong passwords, and access to a private network… Having the best security tech in the world will mean nothing if your staff isn’t taking it seriously.” It’s a team effort!

Better Safe Than Sorry