Shadow IT Disconcerts Data Security Officials and IT Departments
The term ‘Shadow IT’ is used for all software, installed and used without the knowledge and approval of the central IT department, on devices inside a company’s network. Such software is located outside of a company’s IT infrastructure and thereby puts this very infrastructure in danger.
Why Shadow IT Exists
While the term itself implies darkness and malicious software, it first of all conveys a neutral meaning: It plainly describes software which is installed without the knowledge of the IT department, the majority of which is installed for a vast variety of ingenuous reasons.
Many times, company employees simply desire access to a specific software or web service, but do not have the patience to follow the official process for IT procurement, provided by the IT department. Without further ado and any bad intention, the desired software is installed, or the web service is used on a company device. Some major reasons for the existence of Shadow IT are therefore convenience, impatience and nesciences.
Employees do not want to pass up on using the most convenient software to them, or abstain from using music streaming services.
Another significant reason for the existence of Shadow IT are the specific and individual software-requirements of different departments towards hard- and software. Additionally, there is a threat to IT security caused by mobile devices. Mobile flash storage devices are a great threat, due to malicious software being easily transferred to a network from such a device.
In particular, accessing the IT infrastructure via smartphone or tablet is becoming an increasingly more crucial threat to the security of company networks, due to the increase in dispersion of such devices and the IT security risks associated with them.
Additionally, popularly used online services for mail, video calls, or instant messaging, like Gmail, Skype or WhatsApp pose a non-neglectable threat to a company’s network. Many departments also use cloud-storage-services in order to easily share and work on files in order to make teamwork easier and more efficient.
What Harm may be Caused by Shadow IT?
The risk that unauthorized software may cause to a company’s network is not limited to danger for data within the network. Shadow IT may also cause legal and usability issues.
We collected some examples for issues that may be caused by Shadow IT:
- Shadow IT may cause bandwidth-problems, due to multiple employees using music streaming services at the same time.
- Many apps and services are automatically taking over contacts from the directory of the device. This way business contacts may be exposed to third parties, which usually does not only cause issues with internal compliance guidelines, but furthermore violates data protection regulations. This concerns messenger apps like WhatsApp and is, in addition a known issue in networks like LinkedIn and Facebook.
- Files saves in a cloud are transmitted from one device to another via the cloud-providers own “Share” function. This way, sensitive data may easily be exposed, which in turn is violating compliance and data regulation principles, again.
How to Minimize the Risk Caused by Shadow IT?
Banning any form of “outside software” in principle may reduce the risk Shadow IT represents, but this approach will result in additional expenditures required for the IT department, because resources are needed to enforce the ban.
Another possibility to reduce risk is to invest into IT security. There are several options for that: Making use of Endpoint-Security and investing into centrally controlled network-hardware are among the appropriate measures to reduce the risk of Shadow IT.
At Boxcryptor we have a different approach though: We recommend not to taboo the issue of Shadow IT, but to sensitize the employees for it. It is advisable to come up with a comfortable and quick process to integrate software and services, desired by employees, into the IT infrastructure. This approach is considerably reducing the burden, lasting on the IT department, and is likely to result in an increase of satisfaction and efficiency of employees working with software and company devices.
Additional Attention is Required, when Cloud-Storage-Services are Used
In case sensitive data (e.g. customer data in CRM) is stored in the cloud, extraordinary attention is required. Sourcing out data-storage to the cloud is economically worthwhile, regarding the costs of storage capability, the availability and the handling of data, for example.
But utilizing a cloud-storage service exposes data to a certain risk of unauthorized access by third parties. There is the (theoretical) possibility of data being stolen during the transmission process between the computer and the cloud. In addition, incidents “inside” the cloud - like the recent Meltdown security vulnerability - need to be considered.
The unauthorized use of cloud-storage services in order to share and work on files, is widely common. Since this this practice is so popular, presumably most businesses are affected. For this very reason, it is highly advisable to take measures that allow using those services, but also ensure they can be used in a secure way.
To secure data saved in the cloud, end-to-end-encryption – like it is used by Boxcryptor – is the best method. Access to company-internal data is protected by the combination of two strong encryption algorithms. At the same time, Boxcryptor ensures that working in a team remains possible and efficient.
Boxcryptor offers a secure and easy way of sharing and working on data and files within a team, seamlessly integrated into the existing infrastructure and administration of files and users.
Using Boxcryptor helps reducing the risk of Shadow IT for companies. Sensitive data remains secure, employees can work in their used, most convenient way with Dropbox and Co., the IT department is unburdened and the compliance department can remain at ease, even in face of the new General Data Protection Regulation of the European Union.