Is Your Staff Risking Your Cybersecurity With “Shadow IT”?

Shadow IT, the unsanctioned use of technology by employees, is not an uncommon concept—and it’s becoming even more prevalent in the remote work era. An IT expert says strong policy can help solve the problem.

There are lots of cool tools out there that might make your life a little bit easier—even if they make your IT department’s life a little bit harder.

If you use some piece of technology without permission, that’s “shadow IT,” and it could create potential security or compliance issues down the road by putting data in places where it shouldn’t go. It could also keep that information out of the purview of the primary network.

To be clear, shadow IT is nothing new: A 2016 Cisco study found that 80 percent of employees used software that wasn’t cleared by the IT department, and just 8 percent of enterprises knew the real scope of shadow IT within their organization.

Darrell Poe, vCIO of B/Net Systems, said that shadow IT has long been something he’s observed in his various roles, including when he was the lead IT official for the National Association of Broadcasters.

Shadow IT became common for many organizations during this period, Poe said, thanks in part to the advent of the iPhone, which was still relatively uncommon. “They were all new and cool and folks wanted to use them, and it made their work life more efficient,” he added.

If you don’t have processes in place to take care of that, that’s data leakage.

He noted that shadow IT rarely grows out of malicious use cases, but by the nature of it, it could take information out of a centralized location and introduce external security risks that the IT team has no real control over.

How Remote Work Has Shifted the Shadow IT Conversation

For years, the command and control structure around IT helped to shape the thinking around shadow IT. But as more tools have emerged in the workplace, that model has effectively fallen by the wayside as trends like bring-your-own-device (BYOD) and the cloud have increasingly found their way into the modern office.

In that context, shadow IT was already a big deal and a major point of concern for IT departments years ago. But the challenge is growing with the rise of remote work tools during the pandemic, as employees work on networks the employer has no control of.

“There are no firewalls on home networks, no enterprise-grade firewalls, so that’s huge,” Poe said.

He added that the pandemic effectively kicked existing trends around shadow IT into overdrive, which likely will create security challenges when employees do reenter the physical workplace.

Tackle Shadow IT With Better Policy

Technical solutions can be used to tackle these issues—for example, preventing the direct export of data from your association management system, meaning that data can’t be compromised. However, Poe emphasized building policies that employees are able to live with, and are baked into basic documents, such as the employee handbook.

“We would put a lot of the foundational IT stuff into the employee handbook, or into the IT security policy, or the disaster recovery plan, or the incident response plan,” he said. “And those policies generally go out to staff, and they have to sign—especially the employee handbook.”

This provides a record that they’ve acknowledged the policy, giving your organization something to point to when issues arise—say, when an employee leaves the organization, and has a laptop or phone to account for.

“If you don’t have processes in place to take care of that, that’s data leakage,” he added.

Poe also recommends setting a portion of the employee handbook aside to set standards for how information is stored internally—if, for example, the organization has agreed to use OneDrive or SharePoint, it should be stated that using a personal Dropbox is off-limits.

“You can even take the next step of a records retention policy or an IT security policy, going more into the weeds about the specifics of what you’re using and why you’re using it,” he said.

Learn From Shadow IT to Create Better Experiences

The plus side of shadow IT is that, even if it does create challenges, it offers an effective script for improving your association’s approach to technology.

It could be one element to improving the overall technology experience, so that employees have machines and services that better match their needs.

Poe recommended bringing together a team or technology committee to help decide on solutions for the organization.

“That way, it’s no longer shadow IT, it’s ‘OK, I hear your needs,’ from the IT perspective,” he said. “Yeah, you’d like to use Google Mail for this, or you’d like to use Google Drive for that, or an MS messenger-type system, you know, let’s talk about it.”

If the technology falls within the organization’s foundational policies and could improve productivity, it could be useful—but it also brings the IT department into the conversation.

“I think that’s how you begin to shine light into that shadow IT approach,” he said.


(M-A-U/iStock/Getty Images Plus)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!