Effective Ways to Limit Employee Use of Shadow IT

Shadow IT December 7, 2018 By: Chris Xenos

Instead of using IT-approved technology, staff may rely on unsanctioned apps or software, known as “shadow IT,” which could put data and critical business intelligence at risk. To limit these under-the-radar tools, tech teams must engage in routine staff training and communications.

We’ve all done it. From using Google Docs at work when SharePoint is the approved document-sharing tool, to storing files in Dropbox instead of the official file-storage solution, the use of “shadow IT” is growing within associations and nonprofits. Symantec found [PDF] that organizations typically have 1,232 applications on their extended network, most of which were adopted without IT approval or oversight. And 72 percent of IT executives [PDF] admitted that they were unsure of how many shadow IT apps are being used within their organization.

Whether it’s personal preference or lack of training and access, staff tend to use tools they’re comfortable with, despite the negative effects it can have on the organization.

In addition, employees can feel frustrated and overwhelmed with the task of learning how to use a new program or tool, and the training and learning curve might be high for some of them. All of this can push staffers to free or low-cost tools, instead of solutions vetted and approved by the IT department.

Unfortunately, these tools and programs aren’t always the most secure. When an employee uses shadow IT, it can leave a trail of data—from critical member records to sensitive employee information—ripe for hackers to steal.

When it comes to shadow IT, what you don’t know can hurt you.

Gartner predicts that by 2020, a third of successful attacks experienced by enterprise business will stem from shadow IT resources. If your organization’s security team isn’t aware of the additional tools being used, they cannot effectively protect employees and the association.

In other words, when it comes to shadow IT, what you don’t know can hurt you. Here are a few ways today’s associations can mitigate the risk.

Employee Training

To better safeguard your data, it’s imperative that everyone from senior leadership all the way down to new hires remain on the same page. Employee training on cybersecurity best practices is crucial to protect an association’s data assets. Holding quarterly training activities helps to make cybersecurity policies second nature for staff. Training should include education on how to identify potential security risks like phishing attacks, a list of IT team staff to contact with questions, and reminders on software updates and privacy shields. For example, a link to a single Google Doc that holds intellectual property could fall into the wrong hands of a hacker. Making employees aware of these everyday risks can go a long way in the overall security of your organization.

Instead of seeking out offenders and punishing them, provide avenues for employees to flag necessary tools that fall outside of IT’s purview so that they can be evaluated and tracked.

Open Communication

Open communication is also key to tackling shadow IT in any organization. Security teams should work to build a trusting relationship where employees feel empowered and knowledgeable about the tools currently at their disposal. IT must also address solutions that are not easily remedied by an existing tech tool. This goes beyond training to create an ongoing dialogue with employees about the tools and programs they use daily.

Shadow IT doesn’t have to be doom and gloom—at times it can produce a positive outcome for your association. Maybe the discovery of a shadow tool or app helps an association to reevaluate its current technology choices.

No matter the outcome, training, communication, and ongoing dialogue are key to minimizing risks associated with shadow IT.

Chris Xenos

Chris Xenos is director of cybersecurity and compliance at Personify in Washington, DC.