Shadow IT, the use of technology systems and solutions without the explicit approval of the organization. Shadow IT is happening right now in your organization, you just don’t know it. Your data is at risk, or could even be breached already, and you don’t know it. At least not yet.
Most employees are aware of the potential security risks they are exposing their organisation to by using shadow IT, but feel their behaviour is justified if their needs are not being met by the IT department. However, shadow IT only poses a threat if it is not managed correctly, or worse, ignored. And even then, security issues aside, the biggest threat is to the IT department itself.
Be it finance, marketing or HR, business functions are more tech-intensive than ever, and department heads want the most up-to-date technology to drive their operations. As a result, the way organisations buy technology is changing, and the technology budget is no longer solely in the hands of IT.
The biggest risk of shadow IT is unintentional disclosure of data, and cloud providers still have some trust-building work to do. Data-focused tactics you can take include the following:
- Prohibit data exchanges between internal and cloud applications without IT approval. You can also apply functionality controls to high-risk cloud apps at the IP level to restrict activities like uploading, posting, and downloading.
- Use data loss prevention (DLP) software to restrict the flow of data to cloud apps.
- Use published APIs for application interconnection, with data stored behind the firewall. APIs minimize data transfer and ensure that data is never stored on cloud provider servers.
- Encrypt data behind your firewall, and never send plain text over the public Internet.
The balancing act is to choose security controls that will protect vital data while enabling line of business to have the IT services needed to drive growth and innovation.