Tackling the Security Risk Posed by ‘Shadow IT’
Shadow IT: Questionable practice in a business context
The vast majority of computer users routinely use cloud services of some description. Whether it’s a Gmail account or a file transfer service, almost all of us use free cloud-based tools. This might be OK for personal use, however, in a business context, such an approach is highly questionable. Why?
It’s because such practice leads to business data leaking into the cloud in an uncontrolled way, creating unacceptable risks for firms. Client data in a spreadsheet file may contain anything from PII (Personal Identifiable Information) to bank account and credit card data. But what about files containing IP, which may represent unique and significant competitive advantage? Or consider a customer database file, which may have been nurtured and developed over many years?
Take the example of Dropbox. This has been hacked in the past, however, it is still a widely used online file sharing service. Whether it is employees working across their multiple BYOD devices such as smartphones and tablets; or collaboratively with delivery partners or clients, whenever the need to get something done quickly arises, it seems few employees stop to think about data security.
Although shadow IT often conflicts with security best practice in company policy, once established the practice persists and the firm has no way of knowing what data is where and who has access to it.
Tackling the challenges of shadow IT
The intelligence-led approach
One way of tackling the challenges of shadow IT is to use an intelligence-led approach. IT managers and support teams should work with employees to identify the use and understand why there is a need to resort to the cloud services in question. Frequently, the use of shadow IT may result from an employee simply not knowing how to achieve a specific objective through a legitimate resource or method, something that can be easily rectified with training.
That said, there will be cases where the company’s technology resources simply cannot provide the required service. And sometimes, in-house IT staff may be perceived as part of the problem and users may not co-operate. In this case, external service providers may be of some use in helping to identify shadow IT practice. Firms which elect to outsource IT support may well have some success by working with their specialist Managed Service Provider (MSP).
Hosted desktop and private cloud solutions
The ability to control network access to websites offering services which may be classed as shadow IT is another approach. The business network firewall provides the capability to block specified websites. However, this cannot prevent data being copied off onto phones, tablets, pen drives, etc. and uploaded to cloud services over 3/4G or from network connections in other locations.
What is required is a completely secure network that is able to prevent data from leaking out through insider activity. Conventional, on-premise IT systems are difficult to completely secure. It may seem somewhat counter-intuitive, but the best way to defeat the security threat posed by online shadow IT is to look to the cloud!
Hosted Desktop and private cloud solutions provide the centralised control and monitoring to secure the business network and prevent the uncontrolled transfer of business data into the cloud. Network activity, internet access, and file transfer; file access and copying can all be controlled, enabling the firm to obtain certainty, knowing what data is where and who has access to it.
Tackle shadow IT with HTL Support Managed Services
HTL Support Managed Services include IT support, Hosted Desktop and private cloud solutions which enable the problem of shadow IT to be tackled. For many businesses, the benefits of our solutions extend far beyond preventing the uncontrolled leakage of business data on to the Internet.