We are now in the era of business self-sufficiency. Employees are increasingly purchasing and managing their own services and solutions – despite the fact they are not sanctioned by IT. This shift, otherwise known as ‘Shadow IT’ is gathering pace, with Gartner reporting that 35% of IT expenditures for most organisations will be managed outside the IT department’s budget.
Today’s workforce uses a range of powerful tools from Dropbox for sharing a file with a colleague or partner through to Amazon Web Services for spinning up development environments fast. However, while employees may believe self-reliance on technology enables them to do their jobs with better results, they are not security or compliance specialists. Chances are they won’t be thinking about how the use of their chosen applications fit within an enterprise security architecture. And if every employee, from HR to marketing, starts working independently to store and share data, the growth of Shadow IT will create a security and risk time bomb.
So how can IT teams uncover, assess and secure Shadow IT? Our latest InView shares in-depth guidance for organisations but here are a few top tips:
· Invest in predictive capabilities, putting intelligence in context by discovering the extent of the digital footprint and the cloud services in use. Who is using them? Why are they being used? What data is being shared? This information can then be used to assess the risks each service, application or website poses in the context of the organisation’s data protection and compliance frameworks.
· Begin to evaluate and select cloud services in terms of their ability to meet security and compliance requirements, using an industry registry of cloud services and their specific security controls.
· Ensure that all enterprise data is always protected as per your defined policies – this may require you to classify data both residing in, or travelling to and from, cloud applications. This may mean preventing certain types of sensitive data from being shared.
· Apply granular security policies that enforce appropriate levels of data access and cloud service functionality according to variables such as a user’s device, location, and operating system.
· Create an education programme that communicates policies and criteria for selecting new mobile, web, digital and cloud services. Ensure that you inform users in real-time when they have acted in a way that is not compliant.
For more information on Shadow IT, read our latest whitepaper.
It might be seen as a bit of a bold statement, but these days one could argue that shadow IT really is the new IT.. This is because you can either ignore that Shadow IT is happening, you can fight against it (and thus risk the IT department being a hindrance to the business and falling victim to other organisations disruptive adoption of such technology), or you can embrace and manage it for the benefit of your organisation, with the agility and innovation it brings.