Shadow IT is a problem for many companies. Employees downloading apps and services without the knowledge of your IT department is a huge security risk. Previously, we covered what it is and why it happens. Now it’s time to discuss how to determine the threat level of the apps and services downloaded, as well as the potential value of these items.
In an ideal world, you have a system in place where there isn’t really shadow IT, but instead you have pilot IT. Pilot IT is when you allow people to introduce tools into your ecosystem in a transparent way. Once the tool is introduced and registered, it is scanned and evaluated for security standards and licensing. If everything passes, it can stay.
If you don’t have a pilot program in place, the alternative is to regularly scan all of the systems in your network. Make a list of installs and create a shadow IT list. Then scan through the installs and rely on your endpoint protection. The problem here is that this system will cause you to chase your tail. It perpetuates the negativity around shadow IT and should only be in place while transitioning to pilot IT.
Once you have assessed the potential threat level of an app or service that was installed by an employee, and you determine that it is safe, you then need to determine the value of this tool. Is this something you already provide for your employees but no one can get to it? Is this something you used to provide and took away? Or is this something new that you hadn’t considered? Once you determine the value of the app or service, you can decide if you want to make it a permanent tool for your employees.
The best way to determine the value of a tool is to ask the users. Ask your employees if they find the tool helpful. No product manager or UX designer worth their salt would make decisions isolated from their users. So, if your employees are using tools not provided by you, there has to be a reason. Most people do not intentionally set out to aggravate your security and procurement staff. You must find out why your employees have turned to this tool, where the gaps are. In fact, when you have new proposed tools, ask your employees to try out their options. Ensure that this tool is effective and useful for what they do, and make sure that your process for getting a tool is not overly complicated.
When your employees turn to shadow IT, it’s for a reason. Anything they download can be a suitable candidate for approved business use. You definitely want ease of use to be extended to your employees. When you make their jobs easier, they will be more efficient, happier and you will have higher retention rates and profits. Give your employees what they need, the cost of spending a little extra on a better tool or on securing a tool will often be balanced out by the efficiency of your employees. Efficient employees make for an efficient business, and an efficient business that is secure has a much higher chance of being successful.