Making shadow IT work for businesses and employees

(Image credit: Shutterstock / song_about_summer)

The use of corporate and non-corporate web services is now a certainty in workplaces of any size, scope, and sector. Different cloud services provide different benefits to various departments, and new social media, file sharing, and SaaS tools have provided an increasingly convenient way for co-workers to collaborate. Research suggests that this occurs in up to 89% in large corporations, and 92% in SME’s.

Of course, the shift to remote working has compounded the growing acceptance of these practices, and this is beginning to cement them as the new norm. The switch to home offices left many employees shorthanded with their IT, and this meant that non-corporate tech and web services became much needed solutions. This also meant that the line between corporate and personal became blurred, resulting in employees increasingly using corporate tech  for personal matters - like playing games, streaming films, or even watching porn.

With all this occurring at such a rapid rate, many businesses are yet to acknowledge how significant these changes are, let alone evaluate the potential risks associated with the growing prevalence of shadow IT. As with all new developments, we should take time to explore the possible risks, rewards, and potential solutions.

About the author

Alexander Moiseev is Chief Business Officer at Kaspersky

Data security: what are the critical concerns with shadow IT?

Authorized corporate services for communication, collaboration, file storage and sharing are supposed to be properly configured by company IT teams and have the required level of access control, data protection, and incident management. It means a business has a good level of transparency and ensures that nobody outside the company can access the corporate space and its content (at least without advanced malicious tools).

When it comes to non-corporate services such as messengers, file sharing, email, or a CRM, it is unclear if the data that employees share through them is safe. There are questions, such as whether workers are using strong passwords, how they access the service and from what devices, or who manages access if people leave the company.

It’s a natural human factor that an employee can just forget to set up a password or to limit the circle of viewers and editors for a shared document. Alternatively, applications can be exposed to malicious actions. Fraudsters can abuse or even take over users’ accounts through phishing or social engineering, like in 2019 when malicious actors abused the popular file-sharing platform WeTransfer. They sent malicious files through WeTransfer which when downloaded, redirected victims to a fake Microsoft Office 365 login page that grabbed login details if a victim put them into the form.

When shadow IT remains unavoidable, businesses should look to manage it

With the level of risk associated, one approach may be to attempt to curtail shadow IT completely, and block access to all non-corporate services. This, however, is not always a realistic (or popular) solution for every company – especially under current circumstances. Often, shadow IT can present unique and flexible solutions for businesses so banning it can be counterintuitive.

For example, a few years a VP had paid for a CRM out of her own pocket, bypassing the authorized system suggested by her IT team. When the company was made aware, she faced disciplinary action, despite that, thanks to this CRM, she was able to increase the company's revenue by $1m per month.

First and foremost, staff awareness about secure use of digital services – everything from corporate email to dedicated engineering software or even WhatsApp – is key to improving cybersecurity within the company. If there is a corporate policy that does not allow employees to share business documents through unauthorized applications, they should know about it. When managing any tools, employees should be aware of basic things – such as access and password management. They should also learn basic security rules, like not opening attachments or clicking on links in emails from unknown senders, not downloading software from unofficial sources, and always checking the URL of web pages that ask for login details.

When speaking about cybersecurity it’s better to use the right tone of voice: not punish but educate, remind, test and remind again. Explain to your staff why it is so important and how it supports the business and their piece of mind. The team may continue using services for work, but it is crucial they follow the rules and do not violate data protection policy.

On the other hand, it is also crucial to achieve visibility over-shadow IT, and businesses should actively look for safe paths for integration. Namely, there already exists dedicated tools that allow teams to manage access to public clouds. These tools can outline what services are being utilised more readily, as well as highlight what services hold the potential for data transfer/storage and determine how risky this may be. This can work both as a standalone solution, or when integrated with an endpoint security. For example, with the help of cloud discovery, we found out that YouTube is the application that employees access the most on corporate devices. YouTube does not provide options for file-sharing or any business data processing, so the risk is minimal.

As with all other aspects relating to workplace collaboration, success often relies on having clear processes and a transparent company culture. The above-mentioned story regarding a ‘shadow’ CRM could happen anywhere. In many cases, IT teams may not be open to considering incoming demands. While this can often be the result of a lack of time and resources, it can equally be reflective of a company culture that is not open to change. Robust practices need to be in place that help employees contact support teams. Even if a helpdesk cannot provide what is required, employees should still get proper guidance on potential solutions.

The reason shadow IT is becoming more prevalent is because the ‘path of least resistance’ is part of our DNA. It’s human nature to look for the easiest and the most convenient way to do something, including our work. As such, businesses not only need to find ways of managing and educating their employees on shadow IT, they also need to better understand how and why employees are relying on it.  In this sense, the approach to shadow IT should be the same for all other workplace collaboration issues, which is an approach based on positive communication and trust.

Alexander Moiseev is Chief Business Officer at Kaspersky