5 steps for managing Shadow IT as a CIO

Shadow IT are information technology systems and solutions used within an organisation without the IT department’s approval, many of which do not comply with the organisation’s rules for security and documentation. With the increase in BYOD (bring your own device), cloud computing, and the ease of downloading and running new applications, it is becoming increasingly hard for IT departments to keep track of software and hardware. Here are five steps for CIOs to identify and deal with shadow IT and diminish its risks:

Identifying Shadow IT
In order to identify shadow IT, the network must be constantly monitored for unknown devices, which can be done automatically. Analysing the log data from proxies, firewalls, SIEMs, and other devices can also tell you which unapproved devices are connecting to the network and how much information they are downloading and uploading.

Risk ranking

Once you’ve found the unauthorised software or hardware being used in your company, determine which ones are particularly dangerous and block them, or simply ask the responsible persons to stop using them. Not all shadow IT is bad, as some of it is simply a way users have found to increase their productivity. Once you identify these productivity holes, consider providing better alternatives to fill them.

Providing safer alternatives
In order to prevent their users using third-party applications that can put corporate data at risk, companies should provide them with safe ways to access this data remotely. Alternatively, an effective approach is to simply ban the use of personal devices and to provide the employees with company-owned smartphones and tablets. This permits the company to do a remote wipe if the device is lost or stolen. Another option is to permit access to the network only to mobile devices that are equipped with mobile device management (MDM) software that controls and protects corporate data.

Providing clear guidelines
Creating a list of approved software beyond the standard one is a good strategy that any IT department can use to prevent shadow IT. Controlling which software or applications employees can install can prevent security and compatibility issues. Furthermore, the users should be told why some applications are permitted and others are not, and why shadow IT can be harmful to the company.

Maintaining good communication
Be sure that the users are updated about the security risks regarding shadow IT. If users employ third-party application, try to find out why they needed them and which safer options you can provide. In the long term, open communication between the IT department and users, and a no-consequence approach in which the users feel safe to admit using third-party applications, is the best option for managing shadow IT.

Although there are often compelling reasons for employees to bring shadow IT into a company, there are significant risks associated with it, such as threats to regulatory compliance, security, and data privacy. Identifying shadow IT, prioritising risk, restricting access to third-party applications, and establishing guidelines for BYOD are all important steps that any IT department should take in maintaining a safe work environment.

For advice on managing shadow IT or to have your system checked over and confirmed that it has sufficient measures in place you can contact us and we would be happy to advise you.