I was recently reading some interesting theories of Carl Jung in which he talks about ‘shadow’ personalities and it made me think of the issue of Shadow IT. According to Jung, barriers to individualisation are created when we conduct tasks that are visible to the world in line with the acceptable norms. It’s only in the shadow personality, that is hidden away, that we can discover our unrealised potential. It made me chuckle considering I had just finished writing a paper that addressed, amongst other things cloud, Shadow IT. This is, after all, a practice where people bypass the visible acceptable IT policies to use their own cloud solutions in order to facilitate their work and enhance their individual outcomes. When people take IT restrictions out of the picture, they have the freedom to access, edit, share files and service clients in ways they feel are easy and time efficient. Jung also goes on to say that the shadow of beauty is a beast, and in the world of security that is exactly what Shadow IT is – a beast that most organisations are not equipped to tame just yet.
The practice of Shadow IT is nothing new. Emailing confidential corporate documents to personal email addresses to review or edit after hours is a practice that has been going on for many years. Cloud has released us from the shackles of IT policies’ confines. What is new, however, is the acute awareness of security risks these practices expose corporate data to. Hillary Clinton has been in the news lately for this very reason. The US State Department is undertaking a huge investigation into Hillary Clinton emailing documents out to her home email address and working on non-secure computers. It could stop Clinton running for president next year. Clinton of course was just trying to work efficiently and effectively and State Department IT wasn’t meeting her needs.
The recent high profile breaches such as those of eBay, Target and let’s not forget Sony, the rise of sophisticated ransomware and the discovery of vulnerabilities such as Heartbleed have all been instrumental in forcing organisations to reshuffle their priorities to incorporate robust and strict security policies. Add the new privacy laws and availability of cheaper contract work off shore to this mix and it is easy to see why data security is no longer a ‘nice to have’for organisations.
The issue is that line of business priorities and those of IT departments are not often aligned. While employees are being asked to deliver higher quality outcomes in shorter time frames and competition is intensifying in the corporate world, there is pressure on sales and marketing to bring in revenue. On the other hand, acceptable use policies being implemented by IT departments are becoming more stringent and they are not being communicated well to the business units. Having said that, studies have revealed that IT employees are the biggest culprits when it comes to using unauthorised apps, because they think they can manage the risks better than line of business. In fact 26 per cent of IT staff use six or more unauthorised SaaS apps compared to only 7 per cent of business units using this number of apps. It’s a typical case of ‘do as I say and not as I do’, a bit like a parent-child relationship.
While the use of unauthorised apps is not based on malicious intent, it does lead to some serious security issues that can have damaging impact on an organisation’s reputation or its bottom line. A recent report has revealed that almost 16 million mobile devices were infected by malicious software globally in 2014 with cybercriminals increasingly targeting cloud for corporate espionage. Accidental data leakage can expose corporate secrets and classified documents to the outside world and, in the worst case scenario, the competitors, in just a click of the ‘send’ button. The new privacy policies introduced in 2014 hold the sender of information liable for a breach no matter what the person receiving the information does with it. This has serious implications for the practice of off-shore contracting for cost cutting purposes, because there is no guarantee how that data is being stored and handled at the other end. Playing roulette with corporate data, therefore, can result in the entire organisation being liable for a breach and not just the individual responsible.
Given that Shadow IT is here to stay and become more prevalent in an environment where corporate pressures are high and budgets are low, here are some solutions IT departments can implement that will help monitor and address Shadow IT issues rather than prohibiting this practice and pushing it underground:
1. Educate: IT should regularly communicate the risks of using public cloud to the line of business, but in a language they understand. Complicated IT terminology and policies that are difficult to understand and business units cannot relate to, will fail to create any impact. Sharing relevant examples of breaches and providing solutions that will help various departments achieve their goals while knowing how to safeguard the data will always ensure better compliance. Awareness is half the battle won and can help IT stay in step with the changing needs of business and become agile consultants for suitable solutions.
2. Enable: When existence of Shadow IT is a given, IT departments should evolve from being gatekeepers to becoming risk managers. Working with employees to find apps that will help deliver the outcomes needed while providing cloud security measures to monitor traffic within these apps will foster trust and help mitigate security risks.
3. Collaborate: Business units do not like to wait for days to get access or IT approvals for a solution they need ‘right now’. This is one of the main reasons for prevalence of Shadow IT. In large organisations where there are several business units with competing priorities, it can be challenging for IT to deal with issues on a case by case basis. IT should,therefore, consider creating champions within each business unit who can become the go-to people for any queries. These champions can represent the voice of the business to IT and vice versa while providing employees high level advice around security risks. A collaborative approach also allows IT to implement back end policies that can detect anomalies and be pro-active in taking action to prevent breaches.