Shadow IT is a legitimate cybersecurity risk for organizations. In the contemporary business technology landscape, where employees have multiple interconnected devices and software can be downloaded at the click of a button, the issue may feel like it’s a wildfire blazing out of control. But is a draconian crackdown really effective? Rather than to try blot out LOBs zealous, independent approach to technology, organizations can more effectively mitigate shadow IT by democratizing some facets of IT as part of their digital transformation strategy, and implementing platforms that make it easier for IT to work closely and collaboratively with lines of business.Rather than to try blot our LOBs zealous, independent approach to technology, organizations can more effectively mitigate shadow IT by democratizing some facets of IT as part of their digital transformation strategy. Click To Tweet
Shadow IT Creeps Up on Businesses in the Consumer Electronics Era
In the ubiquitous consumer electronics era, you’re more likely than ever to see employees’ work lives bleeding over onto other devices, software, and services. The “BYOD”, or Bring Your Own Device, market (including tools like mobile device management platforms for organizations), is predicted to grow from $30 billion in 2014 to $367 billion by 2022. As Forbes notes, “BYOD is here to stay.” Consumer platforms add to the chaos; Google Docs, GitHub, Venmo and other platforms are so enmeshed in people’s flow of life that employees may not think twice about using them, thus risking corporate cybersecurity and privacy.
Additionally, SaaS apps, marketed toward and purchased directly by lines of business, are encroaching on the territory of traditional B2B software licensed by the IT department. The user-friendliness of consumer-style business software may mean that employees are less likely to turn to IT as their single source of truth for technology provisioning and assistance.
What are the risks of Shadow IT?
According to an Infoblox report on exposing the threat of shadow devices, over a third (35 percent) of companies in the US, UK, and Germany report that more than 5,000 non-business devices connect to their networks each day.
Hackers can take advantage of these vulnerabilities. DNS tunneling is the most common method that hackers use to exfiltrate data. DNS tunneling “enables cybercriminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls.”
And it’s not just devices. Consumer apps and random links also pose security risks. Your average person has low guard for links, and will click on numerous unknown links during a browsing session. Even legal applications can have malware; researchers at McAfee found malware in 144 “Trojanized” apps on Google Play. According to McAfee, these apps “had an average rating of 4.4, and between 4.2 million and 17.4 million users downloaded these apps from Google Play.”
Another issue for businesses is that when individuals across lines of business make independent technology choices, you end up with a fragmented technology landscape across the enterprise. Data is siloed in weird, dark corners where the light of governance doesn’t shine, and in applications that other departments don’t have transparency into. Analytics and reporting may suffer from incomplete or inaccurate data sets.
Data Consistency, Regulation, and Compliance
Companies need to have consistent data across the enterprise in order to have accurate information in systems such as their ERP, e.g. Netsuite. Having accurate data in the ERP is critical for audits. Additionally, organizations in some sectors may be required to follow specific cybersecurity procedures to be GDPR compliant. Rogue procedures on unmonitored integrations, third-party platforms, or devices could result in missteps and flawed data that incur regulatory consequences. Introducing financial automation can improve data accuracy across the enterprise.
Business Systems Not Equipped To Monitor LOB’s Every Move
Statista reports that in 2019, there were 130.6 million people employed on a full-time basis in the United States. Approximately 55 percent of them are white collar workers, so, that would be about 71.83 million. As of October 2018, there were about 2.8 million employees in the information sector, so, 3.9% of the white collar workforce. These statistics illustrate that the IT department is a relatively small percentage of total employees. IT professionals are not able to monitor LOB’s every move.
This is also true when it comes to integration and automation, especially with the increased use of SaaS apps across lines of business. If someone wants a specific integration or workflow automation to accelerate or optimize their business process, they may have to precisely delineate their integration or automation requirements in a written memo to IT, and wait for a response. IT may not be able to respond to all these requests within the timely manner that LOBs want and expect.
However, these individuals are increasingly empowered to go out and do this on their own, or to adapt and modify existing internal systems or automations to suit their immediate needs. Unless these integrations and automations are designed in a centralized platform, it becomes virtually impossible for IT and business systems teams to have visibility into or monitor this rogue IT infrastructure and / or unauthorized software.
This is where leadership and IT should take pause before instigating a flat-out draconian crackdown on this type of Shadow IT. In one sense, these moves are an example of employees taking initiative, using problem-solving skills, and trying to improve business processes.
How to Mitigate Shadow IT by Empowering Lines of Business
Ops leaders and app admins have a unique depth of knowledge and insight into the processes that they use each day. This expertise can be an asset when introducing new technology into processes. It’s actually beneficial for them to play a role in designing automations, as long as those automations are designed in a secure and governable way, because they know what they need. So, organizations can benefit from empowering lines of business to work collaboratively with IT using an enterprise automation platform.
An enterprise automation platform makes it possible for lines of business to put together automated workflows, using an easy-to-use interface. IT and Business Systems can log in to the same enterprise automation and integration platform, to be collaboratively involved in the process of creating and maintaining integrations and automations, or to add custom code or data transformations to the automations as necessary. Users can be given specific permissions based on identity.
Shift from hardware password to identity-based access and verification
Companies can improve cybersecurity in the age of consumer devices by shifting from hardware passwords to identity-based access and verification. You can use cloud directory services with enterprise automation to create a system for fine-grained control of user access to different platforms, software, hardware, or even buildings. This process can also be used for secure offboarding.
To learn more about designing user access control automations, check out this free webinar with Greg Keller of Jumpcloud and Markus Zirn of Workato. >>
Workato is an enterprise automation platform that can be used to mitigate shadow IT and scale automation securely across the enterprise. The platform’s collaborative, easy-to-use workspace empowers Ops leaders or app admins to be involved in a secure way with designing, deploying, and maintaining integrations and automations. To learn more, request a demo from our team.