By Dan Smale, below, Senior Service Owner, Fasthosts ProActive
When it comes to protecting your business and employees, you need stringent IT policies. Providing clear information to everyone in your company about your hardware, software and general IT practices is vital, especially when businesses are relying more and more on technology. A strong policy will help to counter threats and bring awareness of any potential security risks, while ensuring that business processes remain efficient and consistent.
Of course, there’s always room for human error – something that we can’t always prevent. But, in such situations, staying aware and making time for regular audits can help you to keep on top of what employees know, and what policies they may not be following.
This is especially important when it comes to monitoring the software employees are using. For example, your employees could be using non-approved software to work more collaboratively, which could bring about privacy or data security concerns. Policies should also cover the use of removable media for the storage and transfer of information, and they should highlight that it’s not appropriate to use personal devices to access, store or transfer network information, as his could leave your company more vulnerable to data loss or breaches. Even employees using their own preferred keyboards, mice and headsets can be a problem.
This is known as ‘shadow IT’ – where people within your business download or use IT-related hardware or software that your company hasn’t approved. The term ‘shadow’ is a pretty accurate description – it highlights that these IT activities are operating outside of what’s allowed and is difficult to monitor and manage.
The risks of shadow IT
As mentioned, shadow IT has the potential to introduce vulnerabilities and risks. Your business will be more susceptible to data or security breaches if employees are using software that hasn’t been sanctioned or gone through the appropriate security, legal and technical reviews. If you don’t know the applications or devices employees are using, you’re also left in the dark and won’t be able to fully prepare for all potential security risks.
Your employees may also not understand the importance of updates, patching, permissions and other regulatory controls that can mitigate risk. If your business also handles sensitive client data, there’s a chance that employees using shadow IT could be breaking compliance regulations, including data protection laws. This can expose your company to potential legal liabilities and financial losses.
But security risks aren’t the only concern here. While some support shadow IT activity due to it enabling teams to be more agile when reacting to changes in the business landscape, there’s also the chance it could create inconsistencies within your business. For example, if different departments are using different software for the same processes, teams are likely to be wasting time trying to sync things together, which can also create unnecessary confusion.
Shadow IT applications may not integrate seamlessly with your business’ IT infrastructure, causing bottlenecks in the system and workflows that rely on shared information. It can also mean more time and effort is spent troubleshooting issues on applications which don’t work within the infrastructure.
Why sanctioning employees breaking IT rules is not the solution
To prevent shadow IT, businesses should be thinking about creating robust policies for overseeing and monitoring IT use to keep on top of processes. But when shadow IT occurs, it often points to miscommunication between your IT software and employee needs.
Ideally, you need open communication with your employees to ensure there’s understanding on both ends. This will help to determine why employees are using shadow IT resources, and what changes you can implement to make things easier for them.
A good way to do this is by imposing a temporary shadow IT amnesty. A shadow IT amnesty gives employees the opportunity to communicate why they feel the need to use shadow IT resources, without worrying about the consequences of coming forward. It essentially opens up conversations about why such software is being used.
This will allow you to learn the different software employees need to get their job done and figure out what changes you can make to fit their preferences into your business needs. When you remove the fear factor, your employees will be more open about the software they’re using, giving you the opportunity to operate more efficiently.
As well as this, you can use this to educate employees about the potential security risks and resource wastage of shadow IT. Keeping them in the loop and letting them know the risks will leave employees less likely to reuse such software without approval.
The role an MSP plays with shadow IT risks
Another way to keep on top of shadow IT is by using a Managed Service Provider (MSP), which can significantly reduce risks by providing infrastructure management, support and security solutions. This allows your business to find and address any unauthorised IT activities quickly, and with better visibility, identify unauthorised usage and take appropriate actions to bring it back under control.
MSPs can also implement standardised solutions that follow IT security and compliance, which will result in employees being less likely to seek unauthorised alternatives and reduce the chances of any data breaches or compliance violations.
Finally, the support MSPs provide can not only keep on top of maintenance when it comes to IT infrastructure, but it will also ensure that when your organisation grows, your IT infrastructure keeps pace to ensure processes continue to run smoothly.
