Imagine needing to share a large PDF non-confidential document with a customer. It is too large to send via email, and recently you started using a cloud file sharing service to store files and make them accessible on your smartphone, tablet or other computers. You upload the file to the filesharing service and then share the link with the customer to make things easier. After a few clicks, a link is sent to the customer and they download the PDF document. The next day, you get a phone call from one of the information security officers from the organization asking about a file they noticed you transferred out of the company to the filesharing service.
As expected, they told you that you should not have done that, as it is against corporate policies. You ask if there is anything similar to use on behalf of the company. At that time, there was not, but within a couple of months after that phone call, you are informed via company communications that a new filesharing service is now available to use to send large files to customers, and it was going to allow for encryption and other access controls to protect the data. Of course, you now realize that the actions taken were in line with the definition of shadow IT.
Security vs Convenience
According to Gartner, "Shadow IT" is defined as the concept of IT devices, software and services outside the ownership or control of IT departments.
Whether they want to share a file or use a collaboration tool to better their productivity, users find it easier to circumnavigate the IT department because it takes too long to fulfill a request. Need a new server setup in the data center? That will take seven weeks. Need a virtual server? That will take three weeks. How hard is it to install a new server and add the operating system and the software needed when one creates an account with a cloud provider, provides a credit card and has a server up and running in less than 30 minutes?
Users end up bypassing IT because of budget, schedule or the desire to not want to work with a department that takes too long or says no to every request. Like water, in human nature, we find a way to get something done.
Shadow IT Impacts Organizational Security Culture
In KnowBe4 Research's Quarterly report, we find that about 1 in 5 end users utilize a cloud service or file sharing service to assist with their job. While it helps their productivity, going outside of an organization's IT department to download software, add additional hardware or use a cloud provider is a true definition of "Shadow IT."
Organizations with low use of shadow IT have a strong security awareness training program, where security is top of mind for most of their end users. Unfortunately, organizations with high use of shadow IT are often the result of organizations that do not utilize security training effectively and lack a strong security culture.
The IT or information security departments must communicate and work with the business to explain the "why" behind the established policies and collaborate to determine a solution. Rather than be the "Department of No," consider being the "Department of How About This?" Additionally, they want to drive a more robust security culture and make certain users understand the importance of why the organization needs to use its servers versus users buying them from the electronics store.
While we all want to be productive with our responsibilities, it is important to remember that information security policies are implemented to protect an organization from data breaches, data leaks and potential reputation damage. End users should always check with their IT department to determine any possibilities and work with them to reach a solution. While it might take a little longer the first time, the solution provided by IT could help reduce that time frame many times over and, more importantly, keep the organization secure with new-school security awareness training.