Educating Non-Technical Employees on the Risks Of Shadow IT

Shadow IT, which is the use of IT-related hardware or software by a department or individual without the knowledge of the IT security group within the organization, is increasingly becoming a problem for companies.

Shadow IT is a myriad of technology including uncontrolled bring your own devices (BYOD), uncontrolled cloud apps/storage, and unmanaged software & installation rights.

With an increased general knowledge amongst employees of how to do things with computers, like the installation of software, Gartner estimates that shadow IT represents as much as 30% to 40% of total IT spend. Meaning the budget is being spent on software that teams, groups, and business units are purchasing (and using) without the IT department’s knowledge.

Why does shadow IT present risks?

Shadow IT represents a serious risk because they are typically owned and managed by non-technical staff, that may not be knowledgeable on security risks associated with software and hardware. Managers and employees can easily deploy applications and software that don’t support the company’s policies and procedures, don’t follow security guidelines or comply with mandatory regulations.

Anytime your IT department isn’t aware of various apps, software, or devices that are being used within your organization, there’s a greater potential for security gaps and endpoint vulnerabilities that attackers and cyber-criminals can potentially seek to exploit.

Why is shadow IT becoming more common?

Shadow IT is becoming more of a prevalent risk for a few reasons. First, many of these issues are occurring because business units are moving sensitive and valuable corporate data into the public cloud. IT departments don’t always have the opportunity to provide guidance or approval to managers or employees looking to deploy new cloud platforms or applications.

Workplace apps have also become a staple for businesses no matter the industry. Whether the apps are for communication, collaboration, or as part of general operations, employees are likely using one or more apps as part of their everyday jobs.

Even though utilizing these apps may seem harmless, they present a tremendous risk. There’s no guarantee that apps are being properly updated, vetted for security, or that they are meeting company-wide cybersecurity policy, which leaves critical data and information at risk.

Smartphones and tablets are also the culprits of many shadow IT risks. Data is constantly being synchronized between a secured device (company-issued laptop) and an unsecured device (personal smartphone). The sensitive data that’s being stored on an unauthorized, personal smartphone presents an opportunity for hackers to gain access to the device, leaving the company vulnerable to information being exposed.

Create a culture of security awareness

Chances are, the majority of your employees are not ‘insider threats’ out to harm your company. It’s likely that they just lack the knowledge to understand the risks associated with shadow IT and the level of impact utilizing them may have on the company.

The first step to creating a company culture of security awareness is to address the growing need to educate non-technical employees on what shadow IT is and the risks associated. When employees first hear the term “shadow IT,” they may feel that it falls outside of their wheelhouse. However, that’s not the case: shadow IT is the technology employees are using daily and not thinking twice about. Skype, Gchat, personal email services, document sharing services, personal hard drives and USB sticks all fall under the shadow IT umbrella.

Providing end-user education, such as cybersecurity training programs, is an efficient way for employees to better understand their responsibility to the company’s overall security. Comprehensive training services will prepare employees to recognize and avoid the latest cybersecurity threats, whether it be phishing, ransomware, or simple negligence.

Training programs will also give employees a new level of awareness when it comes to best practices for utilizing external software or hardware or make them more likely to check with the IT department before deploying any new technology.

It’s also important to have written policies and restrictions in place that can be enforced by technology wherever possible. Here are a few to consider:

  • Information Security Policy – to define the standards and processes your firm uses to secure your network and data.
  • Technology Acceptable Use Agreement – to articulate acceptable employee uses of your firm’s technology, in addition to the consequences of misuse.
  • Business Continuity Plan – that demonstrates to your clients, shareholders, and partners that your business is prepared for the worst.
  • Tabletop Business Continuity Exercise – to challenge the integrity of your plan in a safe environment, with a written recap advising of any opportunities for improvement.

Shadow IT isn’t going anywhere; it’s becoming easier and more common for departments outside of IT to make technology purchases and downloads for their teams. To get ahead of any security breaches, cyber leaders and IT pros must educate employees (especially the non-technical ones) on what shadow IT is and the risks involved to mitigate potential issues. 

What’s Hot on Infosecurity Magazine?