Shadow IT. It has arrived. But can it coexist with cybersecurity? It must, somehow, because it's not going away and your cyberperimeter must continue to guard your valuable digital (and real) assets. Let's start at the beginning -- what is Shadow IT and how did it get here?
The Origins of Shadow IT
If you own or work at a small business, this won't take much imagination at all... Remember your first marketing hire? Or your first sales hire? Or your first hire in any job function that wasn't previously "professionalized" by time-tested procedures and workflows? If your small business is anything like the ones we speak with daily, it's not hard at all to remember a time where that "first hire" in a new job role/function joined the company.
And if you didn't have Shadow IT before then, you probably got it right at that moment. Not because of any ill will or intentional effort to undermine the company, but just as a natural consequence of a new employee blazing the trail in a new functional area, creating various necessary online accounts with less than an official blessing from the CEO/President, owner, IT person, or other manager.
Example: suppose the new employee, the company's first marketer, created the company's first Twitter account, and used his/her phone number for multifactor authentication. And didn't tell anyone, and no other employees realized the twitter account existed, and after some period of time the employee ended up leaving for a role in a different company.
Boom. You have Shadow IT.
Knowing Shadow IT When You See It
Let's get formal with a definition of Shadow IT: "hardware or software that is not supported by an organization's IT department" (according to whatis.com). For some small businesses even that definition is too lofty (we serve some companies that don't even have an "IT Department" per se). We'd simplify the definition to "technology used by one or more employees without the benefit of cross-training, documented procedures, or managerial awareness."
Perhaps more simply, if a particular employee left the company on short notice and there is some online account or technology that the employee relied on for their job that no one else knew about, that's Shadow IT.
How to Make It Coexist with IT
If you were able to create a set of policies that would allow employees all of the flexibility they needed or wanted with regard to technology selection, and STILL avoid having Shadow IT, you'd be in the cybersecurity hall of fame. Until that day, though, here are some practical techniques to manage the cyber risk associated with Shadow IT -- which is dramatically better than pretending it doesn't exist.
- Surveying Tech Needs: the most powerful step towards reducing shadow IT is to stay abreast on what tools/technologies your team is finding that they need. By engaging proactively, you can work to incorporate the necessary tools and technologies more formally into the company's processes, reducing (but we wouldn't dare say "eliminating") the extent to which Shadow IT permeates the culture.
- Password Keepers: everyone in the company that signs into any online account related to the company, needs a password keeper supplied by the company. Period. It's inexpensive (we can help). The accounts need to be company-managed; meaning, that if an employee abruptly separates, you retain access to their company-related credentials for all manner of websites.
- 2FA to Work: consider implementing a process whereby you give employees work phone numbers that can readily receive text messages, and encourage employees to use their work number for any 2FA related to company accounts. This will save you a sometimes-maddening 2FA battle with 3rd party online websites where account recovery/access may be complex if you are not the holder of the 2FA capability.
- Email Retention Policy: if an employee abruptly separates from the company (for any one of many reasons), there is a good chance that you'll need to pick up the pieces with a kind of forensic mindset -- piecing together the puzzle of what technological building blocks are in use but are not documented. If you've configured your O365 email retention policy or your G Suite email retention policy (or similar for whatever email system you use), you'll have what you need. There is an incredibly high probability that a trail of automailers from various service providers will help in that mystery-solving.
- Acceptable Use Policy: set the stage for what is and isn't acceptable. Pick your battles. Is it realistic that no employee ever creates any online account for the company without immediately implementing a documented process? Probably not. But set parameters that you feel are realistic and achievable. We can help -- we set up InfoSec and Acceptable Use Policies for many companies, and will be your sounding board on tuning them to feel right for your company's culture.
- Take a Test Drive: your employees go on vacation sometimes, right? When an employee has a vacation coming up, managers should ask for a "test drive" through the various job responsibilities that need to be shared/delegated in the employee's absence. Managers will be pleasantly surprised at all that they'll learn about their employees' day-to-day workflows, just by asking to watch as they take care of certain tasks that will temporarily need to be delegated to a colleague. If Shadow IT shows up during the test drive, it's a great time to gameplan on how to incorporate the website or technology into a workflow that is better understood and documented.
These six tips will take you a long way on the journey towards minimizing the extent that Shadow IT exists in your organization, and mitigating the ramifiations of any Shadow IT that does come about. As always, let us know how we can be helpful as you manage your growing cyber perimeter.