What is Shadow IT?
As businesses move towards the cloud, it is important to know how your employees are utilizing cloud services. Employees signing up and using cloud services without the knowledge of the business is known as Shadow IT.
What are the risks?
Traditional network security solutions are not designed to show how employees are using the cloud. Managing Shadow IT is critical to the security of your organization because of the following risks:
- Unencrypted data storage and connections to services
- Lax password and authentication requirements
- Backup and recovery that doesn’t meet internal standards
- Legal issues regarding who owns what data when using a cloud service
- People unwittingly sharing sensitive data through public links
- Noncompliance with varying international and industry regulations
It is also important to know that, even after data is transferred to the cloud, the responsibility for protecting and securing that data typically remains with you and your organisation.
What can I do?
Blocking Shadow IT is not a solution because employees can always find a way around restrictions. You also don’t want to deter the innovation, technology requirements or productivity that can come from using cloud services. Your management will need to be sufficiently modern to adopt tools so that good employees don’t get fed up with poor tools and leave.
The best thing you can do is have employees sign a policy stating that they’re not allowed to sign up to cloud services without management approval. This will allow you to offer flexibility while having the same protections and security as other applications. Once you have had employees sign this policy, your next steps will be:
- Understand the applications that your employees are using, where they’re logging into them, and if they comply with your organization’s security regulations.
- Develop policies that define which applications are okay to use, and how and what data can be transferred to the cloud.
- Protect against threats. Look for behaviours that detract from the baseline of cloud application access at your organisation. Develop tactics to address threats.