[BreachExchange] Locking down shadow IT in the enterprise

[Audrey McNeil]

http://www.cbronline.com/news/verticals/the-boardroom/
locking-shadow-it-enterprise/

Shadow IT covers a range of issues in enterprises from people connecting
unauthorised mobile devices to the company network to department heads
making big purchasing decisions about cloud services. What they have in
common is that they’re happening without consulting the IT department.

Flexible working is a good thing of course but letting everyone decide what
technology to use brings its own problems.

In a world where Bring Your Own Device is increasingly the norm a degree of
shadow IT is inevitable for most organisations.

Don’t be fooled that this is just about millennials – it’s just as likely
to be a techno-phobe MD who wants to email access on his iPad

Technology vendors say that an ever larger percentage of their sales are
now coming from  elsewhere in the business than the IT department.

As people use more and more technology in their personal as well as their
business lives so they feel qualified to make purchasing decisions which
they would once have left to the IT department.

None of this has to be bad news. And you need to think about why it is
happening. Sometimes IT departments can be seen as slow, restrictive and
unhelpful which leads parts of the organisation to look for other ways to
get what they want.

If end users are not happy using the applications you provide then simply
trying to stop them using alternatives will not work.



Why should I worry about shadow IT?

There are several ways that shadow IT can cause problems for large
organisations.

The first and most glaring is security.

If staff access enterprise email systems on their mobile phones or home
computers they can easily provide a possible attack vector for hackers.

A basic premise for securing a network is knowing what is connected to that
network.

Equally staff using their own devices might not be keeping your company’s,
or your customers’, data safe. That is an issue which regulators are taking
increasingly seriously and one for which the IT department will still get
the blame in the event of a data loss.

There are strategic and cost implications too.

If individual parts of the business are all buying similar cloud services
from different providers there is a good chance they’re all paying more
than they need to.

If they’re using free services there might be other risks in terms of data
security.

Equally they might well be creating inter-operability issues or problems
with other back-up systems which they’re not aware of.

Individual departments will not be taking a strategic view of the services
which they’re buying which a central IT department can do.



How can I deal with shadow IT?

The first thing you need to do is to understand why people in your
organisation feel the need to go directly to external providers.

What functions are they getting from third parties which your IT department
is not offering? This might be a difficult process but to solve the problem
means addressing what isn’t being done well enough. This might be a single
business application which isn’t doing what those on the front-line need it
to do, or it might be a broader issue.

But there are positives too. Shadow IT means people in your organisation
are thinking about technology. They might even have found some excellent
suppliers or helped speed adoption of a new technology which could have big
benefits for the rest of the organisation.

It means that somewhere in that department someone has spent the time to
precisely specify what application or service is needed, and found a
supplier. Getting that person on side will give you the information you
need either to bring that service back in-house or to find the right
external provider.

Cloud applications are the biggest driver of shadow IT, so the second way
to control shadow IT is to get the right, secure cloud applications in
place.

But finally you do need policies in place to make shadow IT safe.

This means educating staff about the dangers of using mobile devices to
access corporate services or data and of the risks of insecure cloud
services.

If they need mobile access to the corporate network then they need to be
trained to do it safely.

Getting back control of all departments external deals might be impossible
but at the very least try to get the chance to offer internal alternatives.

Finally you need to explain how you can help with future arrangements and
the dangers inherent in every department going it alone.

In the end it is about carrot as much as stick.

Especially if senior staff are involved the only way to stop shadow IT is
to offer better services internally.

Providing the services that staff want, in the way that they want them, is
the only way to stop them looking for outside help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161118/4b24951e/attachment.html>