Employees often, understandably, use software unauthorised by the central IT function to help them with their everyday work.
However, it can expose organisations to risk of data breaches, reputational damage, non-regulatory compliance and issues around e-discovery. In-house legal teams can help limit the risks of shadow IT.
What is shadow IT?
Shadow IT, also known as stealth or rogue IT, is where an organisation’s employees use software unauthorised by the IT department for their work. It can occur at departmental, team or individual level. Commonly used shadow IT solutions include:
- File-sharing applications such as Dropbox and Google Drive;
- Collaboration and messaging tools like Slack or Skype;
- Personal productivity apps; and
- Mobile apps.
Many of these applications reside in the cloud, making them easy to use and difficult for organisations to keep track of.
However, shadow IT can be more complex than this and even take the form of custom-built solutions commissioned by non-IT departments or local business structures.
Usually, software is not centrally approved because:
- The central IT function cannot or will not support it;
- It may be incompatible with other systems; or
- It contravenes the organisation’s IT security and data policies.
Performance and cost are also major concerns for IT professionals.
How common is shadow IT?
Most IT departments know that shadow IT is being used in their organisation. Some turn a blind eye or actively tolerate it if they’re satisfied it’s not causing a significant risk.
What they may not be aware of is the full extent of shadow IT. A 2015 survey by Cisco found that the average organisation has between 15 and 22 more unauthorised cloud applications running than authorised ones. And as early as 2013, a study by research firm, Frost & Sullivan suggested that 80% of IT and line-of-business employees were using non-approved cloud applications.
Why does shadow IT happen?
Shadow IT usually arises when effective software and tools unavailable internally are readily accessible online or where employees have favourite apps for productivity or messaging.
Document sharing and gaining access to files and information from a mobile device are the most common functions that employees turn to shadow IT for - especially when using a Bring Your Own Device or mixed private and personal use device such as a remote network access via a home pc and home printer.
It’s understandable and seldom malicious. Employees usually know they’re breaking the rules, but feel the pressure of their workload and what they regard as relatively basic requirements justify the breach.
Shadow IT can also occur if a client insists on sharing large files via an application that isn’t approved. This can be tricky for both the client-facing employee and the IT function, especially if it involves a major client.
What are the risks?
As an in-house lawyer, you’ll need to be aware of the risks and issues associated with shadow IT. While it’s essentially the domain of the IT or the risk management function, a successful approach towards shadow IT will benefit from your input.
Potential risks of shadow IT include:
- Personal or client or market sensitive or commercially sensitive data being held in servers in the wrong jurisdiction;
- Personal or client or market sensitive or commercially sensitive data not being held securely, increasing the risk of a data breach. Many shadow IT solutions provide consumer-grade, rather than enterprise-grade, security;
- Personal or client data being held on servers that don’t satisfy your organisation’s security polices, protocols and standards and/or those of applicable regulatory bodies that regulate the company, particularly in relation to who has access to the data and who owns it. The terms and conditions of an application may imply ownership and right of access to your data. They may also provide insufficient security measures and/or inadequate encryption;
- Reputational damage if documents are discovered or found to be vulnerable - even if the data is non-sensitive;
- E-discovery processes being incomplete, exposing the organisation to legal risk;
- Inability to comply with regulations such as the Sarbanes-Oxley Act;
- Sensitive data being left forgotten on servers in perpetuity. As small providers get acquired or go bust, organisations can lose control over what happens to their data;
- Information being lost into the public domain when those shadow devices (such as a home pc or home printer with memory) are "end of lifed" by the owner; and
- Undermined disaster recovery and business continuity processes.
Users can make shadow IT even more problematic by not:
- Implementing two-factor authentication on the software they’re using. Many providers offer additional security by requiring a code to be sent to a mobile device to log-in. However, this feature is often optional and many people don't bother with it;
- Varying their passwords across different applications or changing them regularly enough. Using the same password is now a real issue, as significant data breaches involving Yahoo and others, exposing log-in details used on other systems, has shown; and
- Encrypting or securing their devices. Given the number of laptops and mobile devices lost every year, this is an area of real risk.
Regulators and clients may be concerned if they feel your organisation lacks policies, controls and measures to combat shadow IT.
Are there any positives?
There are. In some cases, shadow IT can drive efficiency and increase collaboration where corporate applications are not meeting needs.
It can also help drive innovation, promote creative uses of IT and show IT functions what type of applications users need.
What can you do about shadow IT?
Because shadow IT is employee-driven and often occurs outside the workplace, it’s almost impossible to prevent entirely. A heavy-handed approach could cause resentment and make employees feel patronised or untrusted. With this in mind, we recommend this four stage approach:
- Meet your employees’ needs. Prevention being better than cure, the most effective way to reduce shadow IT is to provide the services employees need to do their work. In particular, by providing applications that allow them to access files on private and mobile devices and share documents with third parties -put in the context of avoiding a Data Breach fine or a breach of a confidentiality indemnity in a customer contract; a wider issue of company phones and laptops could look very cheap. Allowing some use of popular apps can also be a successful approach. This will, of course, have to balanced against budgets, security policies, infrastructure and the need for central control;
- Have clear policies and guidelines. Processes for new joiners, annual professional declarations and terms of use for technology at work should all cover shadow IT and be clear about what is and what isn’t permitted. Processes for people leaving the organisation should include guidelines for shutting down any shadow IT systems or removing relevant data and files from them. Include any sub-contractors in these processes. E-discovery processes may also need to cover known shadow IT systems in use. Also, implement an organisation-wide policy for grading the sensitivity of information and controlling its availability. For example, you wouldn’t want people posting information graded “Highly confidential” on an intranet accessible by all employees. Make your grading easily understood and universally known among employees and ensure that it is followed "tone from the top" is key.
- Educate and communicate. User education is the key to reducing shadow IT. Try:
- Including information about shadow IT in employees’ appraisal processes;
- Circulating news stories and research studies about the subject among employees;
- Introducing e-learning programmes;
- Making shadow IT part of any annual professional declaration process your organisation operates; and
- Ensuring employees have access to memorable and easily digestible assets.
In larger, or multi-site organisations, effective communication between the central IT or legal function and people based remotely will help drive compliance and reduce the chances of different divisions doing their own thing.
- Operate a safe environment. This means putting monitoring tools in place, blocking access to particular tools from within the network, applying appropriate due diligence on solutions deployed, activating mobile device management, having effective device and company system access control issue, control and recovery policies and processes in place which are tied to role based needs.
Generally, IT functions will be the leaders in reducing shadow IT, but you can help by influencing policies and guidelines and contributing to user education. If you feel your IT function is a little too relaxed about shadow IT, raise your concerns with your departmental head or the chief information officer (CIO).
Remember a regulatory disclosure requirement, a dawn raid, litigation discovery or even just subject data access request will happen at some point so you need to understand how your company's systems and processes run and are checked and who runs them (and because of these probable events you have a clear mandate to do so).
Conclusion
The use of unauthorised technology by employees is commonplace and represents a risk for organisations. In-house legal teams can help their colleagues in IT by understanding the issue, setting the right policies and guidelines and helping educate employees of the associated risks. It may not eliminate shadow IT entirely, but it can help reduce exposure to risk as part of a holistic approach to the issue.