Ransomware, it services
Shadow IT is probably affecting your business right now. Do you need to do anything about it?
Shadow IT, the appearance of unapproved, undocumented, unsanctioned, and un-vetted technology without your IT department’s oversight, occurs in almost every organization. Years ago, adding shadow IT technology created complex problems in dealing with the addition of unknown hardware and software resources. But now, in a world where adding unapproved technologies can be as simple as clicking on a website link to add a cloud service, dealing with shadow IT can be an everyday issue — and a major one, at that.

Why would an employee decide to download such technologies? And, if such downloads are an inevitable part of today’s changing business world, what are the most effective ways to protect your business from potential harm?

The roots of shadow IT

When you talk to users about why they’re implementing their own IT technologies and bypassing the approval process, their answers almost always boil down to one of two issues: they needed something that IT could not or would not provide, or they felt that waiting for IT to provide a solution would create an unacceptable delay in their process. On the macro level, this simply highlights the need for IT and business units to make sure that they’re on the same page. Unilateral directives — from either side — simply lead to problems as both groups end up feeling poorly served and unable to get their work done.
An IT group needs to be accessible to business units so there’s a free exchange of information. Business units that have specific needs that veer from the current IT plan need to be able to express these needs to an IT group. Furthermore, IT professionals need to be prepared to receive such requests, and be able to craft a measured, thoughtful response — not simply adhere to existing guidelines that might not cover the exact situation. A “one-size-fits-all” approach can greatly simplify the IT workload, but it may not allow business units to operate in the most efficient and cost-effective manner.

Preventing shadow IT

At the individual or group level, providing the proper education in IT and network resources can help stymie the prevalence of shadow IT and prevent your IT department from having to lock down the computing environment and throttle productivity. Educating users on the potential consequences of their shadow IT actions may halt them before they attempt to circumvent standing policies — while also promoting a sense of shared ownership of the network.
For example, one of the most common shadow actions is users taking advantage of simple web-based storage to store files that they want to be able to access from multiple locations — a core tenet of information mobility. Dropbox, OneDrive, Box and many others offer simple interfaces for most platforms, desktop and mobile, and allow any user with an Internet connection to access the files. However, the problems this can create are limitless.
While these cloud storage services do make the files available to users wherever they like, they also have the potential to expose what may be proprietary business information to unauthorized users. Since each copy of the data only has the security settings the individual user has chosen to apply, there is no way to know exactly who has access to the data and who might have made it (often unintentionally) publicly available.
A proactive IT department could circumvent this issue completely by creating a business account on one of the cloud storage services. With an enterprise account, users have access to additional security and management functionality that many of these storage vendors don’t offer to their basic users. Thus, the service is available to users who need it, but account access and control is back in the hands of IT and not the individual users.
A measured response
To limit the impact of shadow IT, IT departments need to think out of the box. Today’s employees — whether with their mobile devices on existing networks, the addition of their own wireless access points with limited or no security, or the use of web services to store and manipulate business data — can easily download shadow IT programs that don’t require the approval or support of your IT department.
To combat this, the knee-jerk IT reaction is usually to just lock everything down. By tightly controlling access to the network layer, it is possible to prevent the use of public web services, additional networking hardware and most unofficial sources of services and applications. However, that adds a lot of extra tasks to the IT workload, both in dealing with the lockdown and the end-user complaints. For businesses with limited resources, this can create significant issues in terms of maintaining a strong data security posture.
A more effective way to deal with shadow IT would be to keep the internal IT department ahead of the curve. To provide sufficient services and adequate response times to meet end user needs, IT professionals need to adapt and become responsive to employees that would otherwise be driven to develop their own, unapproved technology solutions. This is where Ricoh’s   can step in! It’s designed to review your technological environment and existing technology uses to identify potential vulnerabilities that could leave your organization at the risk of interruption. It also recommends ways to become more mobile and get more out of your existing technology infrastructure.
Read more about our IT Health Check Program now!