Today, more and more employees and collaborators are using Shadow IT.
This practice has advantages but also many risks.
In this blog article, we will define what Shadow IT is, what the benefits are and what the dangers are.
What is Shadow IT?
Shadow IT is the use of software, devices, applications, and systems that have not been approved by the company’s IT department.
With the proliferation of Cloud solutions, Shadow IT is an increasingly used and practiced practice.
In 2012, a study conducted by RSA showed that a third of employees say they have to circumvent the rules and measures imposed by IT protocol to do their job properly.
Why do employees use Shadow IT?
When using Shadow IT technologies, employees’ primary aim is to work efficiently.
Imagine a company asking its employees to use software that’s complicated to use and learn, and then the employees use another software to save time and efficiency.
In the same spirit, asking the IT department for authorization to use a particular solution can be time-consuming, when the employee needs it right away.
Another example is using Drive to share files between colleagues. Why ask for authorization and waste time when it only takes a few seconds to share files?
When talking about Shadow IT, it is appropriate to address the subject of unapproved equipment such as personal surfaces.
With the democratization of Cloud solutions, it has become simple and quick to send professional files via Cloud, or otherwise, without necessarily the agreement of the IT department.
Obviously, employees don’t think twice about the risks involved, and the benefits are real and numerous.
The advantages of Shadow IT
Practicing Shadow IT has several benefits, both for the employee and for the IT department.
Saving time is the main benefit of this practice, both for the employee and for the IT department.
Employee productivity can be boosted by using the tools they’re used to, quickly and without having to ask the IT department.
As for the latter, they don’t just have to approve or refute access to certain software, this takes up a lot of time, time which is precious.
Therefore, a good solution is to establish protocols in advance on the technologies or solutions that can be used, without necessarily having to ask the IT department.
Time is money !
Imagine an employee who uses a pay solution personally and wants to use it professionally.
If this solution is reliable, you might as well take advantage of it.
This allows the employer to save money, take advantage of the employee’s talent on the software in question and ultimately, it will save time.
The risks of Shadow IT
However, if the benefits are real for employees, the risks are just as real for the company.
According to the analyst group Gartner, in 2020, a third of successful attacks suffered by companies came from the use of Shadow IT solutions.
Using corrupted software
The problem with Shadow IT is that the IT department is not aware of the use of software and therefore cannot ensure its security.
Indeed, the software approved by the IT department has been subject to increased security measures, as have the technologies made available.
This is obviously not the case for unapproved applications.
The study cited previously by the RSA shows that 63% of employees send professional documents to their personal addresses to take care of them at home.
Obviously, these statistics have increased since the COVID-19 crisis and teleworking.
Two problems arise from these practices:
1. Using unsecured networks
The use of home or public networks represents a major risk for businesses.
This type of network is in no way secured by the IT department and is therefore possibly vulnerable to cyberattacks and data theft.
2. Using Unapproved File Sharing Software
Sharing and storing files, using software not secured by the IT department or using the Cloud, can entail risks of more or less sensitive data leaks.
Ban or allow Shadow IT?
The answer is both simple and complex.
If we end up banning this practice, this does not prevent employees from doing it without declaring it.
If allowed, it can completely compromise a company’s data in the event of a cyberattack on software or a Shadow IT surface.
Completely preventing an action by an employee is complicated, limiting it is possible.
But then what to do?
The best thing to do is to limit the risks associated with the use of Shadow IT.
Here are several tips to reduce the risk of data leaks through an employee’s use of Shadow IT:
1. Use Cyber Threat Intelligence software to detect potential data leaks, such as HTTPCS CyberVigilance.
2. Make employees aware of phishing attacks via a personalized phishing campaign, this helps avoid the traps of phishing attacks.
3. Allow employees to use specific software and equipment when teleworking.
4. Have an internal protocol for the use of unverified technologies, applications, software, and personal equipment.
5. And finally, train employees and collaborators in cyber risks. This is the best way to minimize risks as much as possible. As the saying goes: prevention is better than cure.