In every company, IT plays an important role. Administration and security are mostly the responsibility of the in-house department, in which specialists look after set-up, installation and maintenance of equipment and ensure infrastructure security. In general – at least in theory – all IT components, both hardware, as well as any implemented software, should be known to the company and be under the control of the IT department. If this is not the case, this is called Shadow IT.
What is Shadow IT?
Shadow IT describes all IT systems, which are not part of an in-house IT department, but exist in parallel as secondary systems within the organisation. For all practical purposes, this mainly means that the in-house IT department was not informed about the use of these devices or programmes.
Examples are printers or photocopiers, which were bought separately, or employees‘ smart phones or tablets, which were connected to the enterprise network without knowledge of the IT department. The risks can become especially high, if third party software is installed and gains unsecured access to company data.
The Invisible Risk: Cloud-Services
The following example demonstrates an often occurring scenario: An employee, who installs a free cloud service from the internet and then makes use of it, invites other colleagues to install the tool in order to benefit from its advantages. A chain reaction is triggered. Most of the free and mainly consumer-oriented services have only limited suitability for professional use. Often, they lack professional management, important security features and conformity with regulations. The general business terms and conditions of these services are not read attentively – or not at all – prior to installation. Therefore, it is also uncertain which data protection and user guidelines apply. Additionally, many untrustworthy cloud services mirror stored data in geographically dispersed data centres. Unauthorised installation can also make it significantly easier for malware to access company computers.
Reasons for the Use of Shadow IT
The problem with Shadow IT can be traced back to a lack of communication between departments or Shadow IT results from insufficient support and regulation by the IT department. Complex processes, long waiting times or requests being ignored can lead departments to become active themselves and purchase devices and software without the knowledge and agreement of administrators and technical staff.
Can Shadow IT be avoided?
The best way to avoid conventional Shadow IT is a close cooperation between the IT department and all other staff and departments within the organisation. The IT department has to realise the requirements of staff and also train them with regard to threats and risks.
The biggest disadvantage is that Shadow IT escapes the IT department’s control to some extent or even completely. Whether third party software or hardware – the IT department should retain the right to identify and, if necessary, reject it. Therefore, integration of hardware into the enterprise network or software installation on work devices should only be possible with a special predefined key from the IT department.
If employees depend on a cloud service, it is imperative to clear this with the management of the company’s IT department. IT specialists can then make a decision on which cloud solutions available in the market place meet the requirements of the user and of the IT security. In this context, the definition of guidelines and instructions is essential in order to clearly explain to staff, how to use the service and which security measures have to be followed. Cloud services, such as those available from oneclick, offer the company numerous usability advantages, in addition to the required security of company data. Here the company’s requirements can be transferred directly to the IT and security specialists.
Conclusion and Summary
IT is and will remain an important component within every organisation. An enormous security risk is the so-called Shadow IT. Despite the use of secondary systems, the company‘s own IT has to remain secure and protected from external attacks. This is achieved in particular by the introduction of strict guidelines and processes as well as staff training and development. It is the responsibility of the IT department to stem the threat of cyber attacks through robust procedures as well as process flows.
Image sources:
- Image 1: © CC0-License | pexels.com
- Image 2: © JuralMin | pixabay.com
- Image 3: © fancycrave1| pixabay.com
