Organisations can have all the security they want in place – but employees have a knack of circumventing it, sometimes without knowing they’re doing anything wrong. It’s a process called “shadow IT”, in which someone uses their own preferred technology rather than the technology chosen and sanctioned by the IT department.
This is the result of a number of things. The current generation of workers has an unprecedented knowledge and resources when it comes to technology, so if your file transfer system feels slow then “I’ll just DropBox this to you when I get home” or “let’s share this through Google Drive” is easy to do.
Nobody is saying there is anything wrong with either of the services named above. The issue is that if your corporate governance says you use your preferred, tested technologies and your colleagues instead do something else entirely, you’re losing control and you can’t be sure they’re not using something insecure.
The issue is explored in a recent blog post by IT Security Guru. It warns of security breaches, unauthorised access and organisations whose employees do what they feel like with technology. It advocates informing employees of their employer’s policies and the consequences of flouting them. Our contacts, however, offered a more nuanced picture of what’s going on.
In the US, Seth Robinson, senior director, technology analysis, CompTIA, says that most businesses are shifting to operational models that at least keep the IT team in the loop, and added that there can often be autonomy within different parts of the business.
There is certainly a greater degree of independence to be found among business units. In our study, 37% of companies with increased tech budget for business units said that the funds are used to procure technology directly, and 9% percent said that the funds are used to contract with a third party.
However, these are not the primary activities. Fifty-four percent of such companies say that the budget is used to initiate projects with internal IT. Shifting funds to the lines of business makes them more aware of technology tradeoffs rather than simply handing off requirements.
Meanwhile in the UK, Frank Stajano of the Cambridge Academic Centre of Excellence in Cyber Security Research, suggests there is a managerial issue.
Shadow IT can be a significant problem, insofar as it may cause inefficiencies, inconsistency and non-compliance for the parent organisation, but to me it is a symptom of a more serious problem, namely that the parent organisation’s IT department is imposing top-down policies and infrastructure that get in the way and are not adequately serving the needs of the staff.
My research focuses on making security usable: I have repeatedly witnessed situations where staff undermine the security of the organisation (for example with unencrypted USB sticks, shared passwords or document sharing via gmail or DropBox) because the solutions imposed by the IT department are too cumbersome.
Security measures that are not usable don’t get used: employees will use all their ingenuity to bypass them in order to get their job done. I must admit that, while I do not advocate the practice, I feel some sympathy for them. The poor usability of the officially provided systems is often the actual root of the problem. It would be fruitless to attempt to ban shadow IT without addressing this underlying cause.
This chimes with a report from the Economist a few years ago, which referred not to “shadow IT” but to technological “autonomy”. This sounds positive rather than damaging. Robinson adds that a lot of companies Stateside are acknowledging this and are in effect bringing the shadowy stuff in-house and authorising it.
Rarely is the IT team left in the dark [about what the staff are using]. As with the decision process, these activities often involve the IT team. In 60% of cases, the IT team gives approval; in 24% of cases, the IT team is consulted, and in 10% percent, they are at least informed of the decision.
Robinson concludes that “shadow IT has matured into a more systematic framework that lets the business self-service technology needs in a safe sandbox”. Which is certainly an improvement on unregulated “shadow IT”.