Do It Yourself IT – Increasing in Popularity and Increasing Your Risk of a Security Breach
For a couple of years, shadow IT, sometimes referred to as stealth IT, has been under the radar for many organizations. The way I look at it, you reap what you sow. Organizations expect employees to use their own smartphones, tablets, and laptops – what a nightmare that must be for the IT professionals supporting them.
These devices are of unknown origin and often possess inadequate security standards, opening the door for data breaches. Shadow IT mimics the bring your own device (BYOD) strategy. If an employee doesn’t have access to the tools needed to perform their tasks, then they will go to the cloud and download or buy them. Why ask permission?
According to IT Business Edge, “More than 80 percent of IT pros said their end users have gone behind their back to set up unapproved cloud services, with a whopping 40 percent reporting their users ‘going rogue’ five or more times.” The problem falls squarely on the organization’s shoulders. Users are seeking a workaround because they don’t have, or think they don’t have, the tools to do their job.
What do hackers think? EdTech Magazine reports that by 2020 an estimated 33 percent of attacks using shadow IT resources will be successful. It is impossible for an organization to protect and monitor the infrastructure when shadow IT practices are being used.
An example of this scenario is when an employee uses a consumer file sharing application, such as Dropbox or Google Drive, to share or store sensitive customer data. Sharing data in this manner can easily expose protected information and trigger breach notification laws.
Who is ultimately responsible? Once again, the organization. Shadow IT also poses security risks. The use of unapproved applications can allow installation of rogue or fake security programs, disabling existing solutions in the process. Links to such programs are often sent as part of email attachments or invisible links.
The problem is twofold. The first part of the equation is to identify what end users are downloading, or uploading, and undo whatever damage has been done. The IT team must have control. The second part is to take a good, hard look at the tools they are using and why. In some instances, the organization needs to determine whether specific software and tools need to be purchased and made available to the organization as a whole. Some may be well suited and appropriated as standard. It goes without saying that end users need training, and must gain an understanding of how their use of unsanctioned tools can cause irreparable harm to the organization.
How do you handle shadow IT? Many of our clients use our software to generate an inventory of exactly what is in the hidden areas of your cloud. Good luck with your detective work.
Our webinars also address the topics explored in our blogs. Access all our webinar recordings and presentation slides at any time, from our website, in the Recorded Webinars area, via the Resources tab.