Small Business: 'Shadow IT' poses an internal threat to company data

There’s a threat from within that many companies are in the dark about, and it’s called "shadow IT."

This is generally defined as unauthorized information technology used by employees outside of the knowledge or control of a company’s IT department or provider.

This is more common than you think, with 41% of employees admitting to going behind IT’s back to get professional software and applications, according to a study by Austin-based Snow Software.

It’s important to understand that employees aren’t deliberately going rogue by utilizing their own technologies, but rather they’re “hungry for tools that help them function more effectively and keep pace with the speed of business, and will seek out those solutions on their own if not provided with sufficient internal options,” according to a recent report by Minneapolis-based Entrust Datacard, a provider of identity and secure transaction technology.

With that said, the firm advises companies to educate employees on the dangers of shadow IT -- including vulnerability to ransomware and data leaks --outline how they can onboard their preferred tools without putting the company at risk and be clear about the consequences if protocol is broken.

“The shift of technology ownership out of IT and into business units is just a function of digital transformation,” says Alastair Pooley, chief information officer at Snow Software. “The procurement and ownership of technology assets outside of IT is indeed on the rise.”

The explosion of cloud and as-a-service (remote) technologies has made it easy for employees to buy and use their own applications without the help of IT, according to Snow Software’s research.

Given that, CIOs and IT teams need to focus on how they can add value in this new IT model, says Pooley.

Left unmanaged it can expose a company to risk, but it can also create opportunity provided businesses can find ways to work collaboratively with employees to properly integrate the technology, according to the Entrust Datacard report.

“With the appropriate fundamental information security structure, you can support and manage your shadow IT effectively,” says Anudeep Parhar, CIO at Entrust Datacard.

This can work to your benefit considering 97% of IT professionals agree that employees are more productive when they’re allowed to use their preferred technologies at work, he says, adding that there needs to be a vetting process and relatively easy way for employees to make suggestions.

There should be collaboration between IT and employees on what tools are currently available within the organization and what tools they’re looking to use that could make their jobs easier, says Joe Goldberg, senior cloud program manager at Bohemia-based CCSI, a managed IT and security services provider.

The key is to assume shadow IT is likely to be in use within your own organization, he says.

“We see it in organizations of all sizes,” says Goldberg.

It comes in all different forms from popular cloud-based solutions to an iOS or Google app, says William Collins, president of East Northport-based NST Inc., an IT services company.

The risk lies in whether the app is really a legitimate app versus malicious software or an app intended to collect/track sensitive data, he says.

Sometimes companies don’t recognize the true danger until it’s too late, says Walter Contreras, founder of Motiva, a Westbury-based cybersecurity company.

He’s seen these types of unapproved applications resulting in either ransomware attacks or confidential information being leaked from corporate networks.

That’s why companies need some basic security measures in place managed by their IT department, like mobile device management (MDM) software that helps secure and manage mobile apps and data, including preventing unauthorized apps from being downloaded, says Contreras.

In addition, you could have added layers like security information and event management (SIEM) tools that track all data that comes in and out of a network to identify threats, says Collins.