As the internet has grown, so have the number of incredibly useful services. Some of these services are providing functionality that internal IT departments don’t yet offer, and many employees are setting up accounts with online document sharing sites, CRM systems, and online survey sites. And none of it is under the control of the business. Welcome to the world of “Shadow I.T.”
Shadow I.T. has become an issue for many businesses in the last few years, and it’s a problem that needs to be acknowledged by IT departments and planned for accordingly. The problem emerges when staff are finding there are online services which allow them to perform their roles more effectively than company-provided IT systems will allow.
The first step in dealing with the rise of Shadow I.T. is to understand how big the problem is. Talking to members of staff will give some indication of where this might be occuring, but not everyone will want to admit they’re using such services for fear of breaching company policy – if there is one in place. So how can you establish which online services are now holding your business data? There’s no easy answer, except for a manual trawl through the logs of which services are being visited. It’s a time-consuming process, and will require research into what various domains actually do if their name doesn’t seem familiar or isn’t a descriptive name.
Why should we care about this if it’s getting the job done?
It’s a fair question to be asked. The problem is the data. Who does it belong to? Is it personal data? How is it being protected, and is the protection sufficient. What are the online services’ terms for usage of the data? Can we rely on the output from these services, or does the data need to be rechecked to ensure its validity?
One of the main “positives” I am told about when I question the usage of such services is that “the account was free”. Free is great, but has the user read and understood the terms and conditions for the service? Companies don’t just give away services for free. Gmail for example makes money by scanning the email contents and then displaying ads from companies who may be providing associated services. Other companies offer accounts which give the provider free reign over your data, and can do what they want with it from that point on. And once the data is outside your hands, it’s very difficult to regain control.
Obviously this is a much bigger problem when the data involved is of a personal nature. The shadow IT service could be based anywhere in the world, might have little or no protection for the data aside from a password, and may not even encrypt the information as it’s being sent. If your staff are using such services to crunch/store financial data, this again could cause issues for your compliance with PCI DSS or SOX. Sometimes staff will even use online backup services for company information – leading to the uncomfortable situation where huge amounts of data have left the control of the business.
Taking back control
The obvious services to start with are Google, Microsoft, and Dropbox. Identify any others which are in use, and make sure you have a strong policy in place which will explain what is expected from staff. If there is a service amongst them which is genuinely useful, and which can provide the data security required, then approach it as you would with any new system, and implement it in a controlled manner which meets the business objectives.
It will be necessary to employ some kind of internet filtering solution to block the sites which are proving to be a serious risk, but this must be an ongoing process. New sites pop up every day offering even better services than before, but they need to be reviewed by a person with IT Security responsibility before being used.