Shadow IT is nothing new. It’s been a thing for as long as the personal computer has been around. COVID-19 has, however, created the perfect petri dish in which Shadow IT has been able to grow at an incredible rate.
But what is Shadow IT? And, more importantly, why should you care?
What is Shadow IT?
In its early days, IT was somewhat prescriptive. Users were limited to the functionality presented to them by the software and systems that they used. The Internet, and more significantly cloud-based SaaS applications such as Dropbox and Salesforce, changed things radically, presenting users with an increasing number of ways to solve their own IT problems.
From file sharing, to line of business applications, users can now self-subscribe to services, often without the approval (or knowledge) of their organisation’s IT team. This growth in unauthorised cloud usage is known as Shadow IT, and it has exploded as a result of the global home working experiment over the last 12 months.
So What? At Least They’re Working
Out of necessity, users have found ways of sharing documents, communicating, and improving their processes; however, in doing so, they have likely trampled on years of established procedures aimed at protecting their organisation’s data, privacy, and intellectual property. This has placing many organisations firmly in the firing line of organisations such as the Information Commissioner’s Office (ICO), and the Financial Conduct Authority (FCA), to name just two.
The End of The Organisational Perimeter
Ultimately, the problem comes down to two things: the ingress and egress across previously secure organisational boundaries.
Egress is about the unfettered flow of sensitive information to insecure, unmanageable locations. Think personal email, Dropbox, personal Microsoft 365 OneDrive accounts, memory sticks, etc. Once your organisation’s sensitive data is ‘out there’, it’s out there forever; regardless of any new policy you might introduce prohibiting it. You see, the horse has well and truly bolted over the last 12 months, end the problem will only get worse unless you act now.
Ingress is about the loss of control over what can enter your organisation’s cyber perimeter now that many of your employees are working from home, often on shared laptops, using inadequate remote access solutions that were introduced in the dash to home working in 2020. Ingress is about your organisation’s cyber security footprint; once secure behind central, or branch office, firewalls, and now spanning hundreds of private homes. These homes are the new battlefront for ransomware, phishing, and social engineering attacks, as users struggle with unfamiliar IT environments, juggle home schooling, and try to find ways to do their job.
5 Steps to Get Control Back
From working with our clients over the years, we’ve amassed a wealth of experience in providing flexible and agile working. Above all, we’ve learned that you can’t force users to follow the rules, you have to take control back from Shadow IT. Here’s how:
Offer a Better Experience – The problem with cloud apps today is that they’re, well, really rather good. To encourage them to use your corporate systems, you need to offer them something that is really, really good. Microsoft’s Modern Workplace is our answer to this. It provides a rich cloud-based environment where users can talk, meet, share, collaborate, and access their applications; all from a single Microsoft Teams interface. You can find out more here.
Re-Establish Your Perimeter – Reduce your perimeter by presenting desktops and applications with Windows Virtual Desktops on Azure, and documents via Teams/SharePoint; bringing your users’ digital workplace back under your control. You can find out more here.
Apply Compliance Policies – Once you’ve got your data and applications back within your control, you can then apply strict compliance and Data Loss Prevention (DLP) policies; ensuring that sensitive information does not leave your organisation without your approval. You can find out more here.
Take Control of Your Endpoints – Laptops are here to stay. Whether they be corporate or personal devices; deploy appropriate endpoint management to provide Mobile Device Management (for corporate devices), or Mobile Application Management (for personal devices). You can find out more here.
Educate, Educate, Educate – There’s only so much that technology can do to protect your organisation from cyber threats. Regular awareness training, coupled with simulated phishing protection, can help to prevent your users from falling foul of cyber criminals. You can find out more here.
Your cloud strategy is increasingly being dictated by your users’ tactical decisions. Why not get in touch to hear how String can help you to make the Cloud ‘strategic’ again.