Did you know your company has tech your IT team doesn’t know about? Gartner reports 41% of your employees use or create technology outside of IT purview, and that’s expected to increase to 75% by 2027.
Cybersecurity experts call this shadow IT, or technology your employees use without security supervision. But what does it look like, and why would employees use unmanaged technology?
Shadow IT is often an easier substitute for the outdated or clunky technology the company officially uses. Dropbox and Google Drive are both open source, free methods for document transfer. It’s easier to send someone a Google Docs link rather than configuring permissions for an outdated data storage system, but it’s also an easier system to breach.
To update or to not update?
Often, the choice between open source over out-of-date corporate tech is a bigger problem for customers with two tiers of Software-as-a-Service (SaaS) on their networks. The first tier is likely on-premises equipment that cannot be updated without revenue bleed and potential data loss. The second tier is equipment (think a server, desktop, firewall or antivirus) that interfaces with an operational technology (OT) device and cannot be updated because the OT device wouldn’t recognize the update.
Provisioning devices and software solutions (part of endpoint management strategy) secures data entering and leaving your network. Imagine each company device has its own “I <3 New Jersey” decal next to the mousepad so you immediately knew if someone brought in their personal laptop. That’s a simplified version of what endpoint management provides a business—the knowledge of when and where your data is stored.
All that is gold does not glitter
We work with many manufacturing clients who hold the market share for proprietary technologies. That intellectual property is exceptionally valuable. Without data loss prevention controls in place, insider threats using shadow IT could sidestep clunky equipment for a zip drive or an email outside the organization to an unauthorized third party.
Take New Jersey’s glitter factories, for example. In 2018, the New York Times reported a 10-pound bag of glitter priced in at $1,000 USD. New Jersey exports tons (the noun, not the adjective) of glitter per year. Glitter is produced from a proprietary formula and process. It’s a type of metalized plastic layered and sliced according to the light wave width expressing each color.
Any insight into the complicated glitter production process is intensely valuable. The method for metalizing the plastic, the shape, size, and cut for each glitter variety, the customer list, and more. If a glitter manufacturer were to hire Ascent as its cybersecurity partner, minimizing shadow IT would be a crucial first step to securing the company.
4 steps to tackle shadow IT
At this point, you might be asking one of several questions:
- I don’t think we have shadow IT, but how do I tell corporate from rogue devices on my network?
- I just took this job. Where are all my devices? What are they connected to?
- My company operates by proprietary data/technology/designs. Are we securing it from shadow IT access?
Here’s where Ascent recommends you start:
1: Map your environment and the devices needed to operate it.
Depending on your business goals, this might be as easy as asking your system administrator for an audit list of all active devices logged into your internet. Or it might be as complicated as tracking manufacturing equipment, employee personal devices, and executive laptops across continents. Either way, we would recommend one platform like Microsoft’s Intune and Autopilot to simplify the security process.
2: Configure identity and access requirements.
As the IT arm of your employer, you decide who gets to access what. Implementing permission controls, denying certain data-hungry apps or websites from devices on the network, and sensitivity labeling could all reduce shadow IT use. Microsoft’s identity security tools allow for written and engineered compliance requirements. You get to decide if documents containing confidential information can be sent to an external email address from an employee inbox.
3: Make compliance the easy choice.
When push comes to shove, most of your employees aren’t out to steal your company’s information. They’d just like to finish their work without annoying technological interruptions. Good security is simple, both for your IT team and for your employees. Using a single, secure platform like Microsoft for day-to-day tasks nearly eliminates the need for shadow IT. Afterall, if it’s easier to use the tech your coworkers are also using, why would you turn to another option?
4: Educate your teams.
The more your employees know about why change is happening, the more likely they are to support it. Communicate why and how to eliminate shadow IT. Shifts from old to new technology aren’t easy, but it’s well worth the effort.
We’re passionate about each step it takes to secure your organization, from change management to cyber threat intelligence. Microsoft agrees with us: Ascent received Microsoft’s Endpoint Management Partner of the Year award for 2023. If you’re interested in partnering with our experts, please reach out to firstname.lastname@example.org.