Shadow IT: A term that describes employees using mobile apps and personal devices without the approval or knowledge of the IT department. This trend has become increasingly prevalent in recent years, due mainly to the rise of cloud computing and BYOD.
Today’s employees no longer need the IT department to install and enable new technology for them. They can download productivity and file-sharing apps to their personal devices and begin working immediately with corporate data and sensitive content.
While this way of working is very convenient for the end user, Shadow IT puts the entire enterprise security in a very vulnerable security position.
The reality is that business users are far less likely than their organization’s information security experts to consider the long-term sustainability and security risks associated with new technology. The IT department can’t possibly maintain a secure work environment if employees are engaging in mobile activities that undermine their workplace’s infrastructure.
To mitigate risks, we recommend modifying your enterprise mobility management strategy so that it addresses Shadow IT. Here are some guidelines to keep in mind:
1. Monitor the network to identify problems. One of the main challenges of Shadow IT is simply finding out where problems are. Through continuous monitoring of the network, IT can gain insight into which employees are using unknown / unapproved devices, services, and applications.
After the initial audit, we recommend performing routine vulnerability monitoring and fraud analysis to quickly address any new risks that arise. Identify fraudulent use outside of your mobile policy by analyzing usage, expenses, and applications from your invoices.
2. Block high-risk applications. Identify which applications pose the highest risk, and immediately prevent access and block them from the network. To begin, we recommend restricting users from accessing consumer file-sharing applications, such as DropBox.
Once you’ve blacklisted an application, be sure to offer a low-risk alternative. This will ensure that your employees aren’t tempted to circumvent security policies in order to work productively. For example, if the majority of your staff uses Google Drive to store and manage content, create a company content repository that’s lower risk, but just as easy to use.
3. Set and enforce usage policies. Set company-wide policies around approved mobile usage, as well as whitelisted and blacklisted applications. Configure device and application rules to enforce these policies.
4. Educate your staff on security. Train employees to understand and recognize the risks associated with mobility. Educate them on how sensitive data is handled and why Shadow IT puts the enterprise in a vulnerable position. The more knowledgeable your staff is, the less likely they’ll be to engage in activities that put the enterprise at risk.