Shadow IT: risks and prevention
Have you ever heard of the term "shadow IT" or “invisible IT”? It refers to the indiscriminate use of devices, applications, and platforms that have not been authorized to be used for professional purposes by the IT department. This is an old problem, but one that is becoming increasingly common and difficult to contain – especially with the popularization of remote working.
There’s no lack of examples of shadow IT. To paint a picture, imagine that your company decides that X cloud file storage service will be the official service for storing any and all corporate documents. However, for whatever reason – personal preference, convenience, etc. – an employee decides by themself to store work documents and files on service Y, which may not offer the same level of security and reliability.
Other examples of shadow IT include using your personal email address or messenger accounts to send and receive corporate files, using random apps to create to-do lists, adopting a project management platform without warning, maintaining sensitive work communications with other employees on third-party software, and so on. Again, it's important to point out that this is an old problem, but one that is getting worse, especially with remote and hybrid work formats and the massive adoption of policies such as BYOD (bring your own device), with employees using their own devices at work.
Are there any risks?
Loads! First, it is crucial to understand that the IT department, together with the information security team, determines the tools and platforms used for corporate operations based on several factors: reliability, stability, flexibility, visibility, and, of course, security. In some cases, the choice is made according to crucial criteria to ensure compliance with certain legislation or standards specific to the business sector in which the company operates.
So, using unapproved tools and platforms puts the daily work routine at risk, making some files and processes invisible (hence the name by which the practice has become known) to security managers, who are then unable to protect the company from possible threats resulting from these practices. It is also common that choosing your own services to store sensitive information leaves the door open to data leaks since the environment in question was never configured correctly or does not feature as mature a protection infrastructure.
And that’s without mentioning the most extreme cases when employees use real "quick fixes" or even pirated software for their professional tasks. Besides ethical issues, these actions expose their devices to the risk of malware infections.
Easy to solve
There are no secrets here: to prevent shadow IT from spreading, each employee must do their part and only use devices, tools, and applications authorized in advance by the IT and information security teams. If you are experiencing problems with certain software, for example, it is worth calling on these two teams formally to learn how issues like these can be resolved without compromising security.
Fortunately for managers, the market already offers an array of solutions that allow them to better monitor the network for "slips" into shadow areas, like more effective asset management and software licenses.