In an effort to be more productive and connected, employees are taking it upon themselves to seek technology solutions that fit their workplace needs, and as a result, are inadvertently creating serious challenges for their IT teams. The number of employees bringing personal mobile devices into the workplace and using them as business devices has exploded; the number of people downloading unapproved applications, programs and systems on their work computers continues to grow. This integration of non-sanctioned devices and use of unapproved IT programs, otherwise known as Shadow IT, is causing privacy and security problems for organizations’ IT infrastructures and their ability to satisfy governmental compliance regulations.
According to a 2015 survey by the Cloud Security Alliance, only 8 percent of companies know the scope of Shadow IT within their organization. Although alarming, it’s not surprising that companies are losing control over their sensitive data.
The Rise of IT Self-Service in the Workplace
Mobile and cloud technology has had a tremendous impact on the personal and professional lives of Americans and their employers. According to the Pew Research Center, 68% of U.S. adults owned a smartphone in 2015, up from 35% in 2011, while tablet computer ownership edged up to 45% among adults. Employees expect to be able to bring and use their personal smartphone, tablet or wearable technology into the workplace. Whether it’s for file sharing, communications, development or storage, employees are adopting non-approved services to better do their jobs.
What is Shadow IT?
Applications or software deployed by business users without the consultation or approval of the IT department are referred to as shadow deployments. The term Shadow IT has come into use as these deployments are not a part of the sanctioned IT infrastructure but are in the shadows. For example, when a group of employees download a new chat service and use it to discuss business matters, or the Marketing Department connects their analytics API to cloud-software without notifying IT, the entire IT infrastructure is undermined. Shadow deployments can lead to unintended consequences, such as loss of private data, compliance violations, and security vulnerabilities.
Shadow Deployments Present Compliance Risks
Shadow deployments are dangerous to businesses of all sizes. The business no longer has complete control of the flow of its data, especially because many rogue deployments occur outside of company firewalls and via the cloud (i.e. Google Docs and Dropbox). Unregulated IT systems and solutions can leave organizations in violation of PCI Data Security Standards, Basel II, and HIPAA compliance measures. Shadow IT can also extend to the use of unregulated software and unlisted licenses, which is considered a safety risk and creates vulnerabilities that trigger security incidents and compliance audits.
Staying On the Right Side of the Law
It is very disconcerting that the use of Shadow IT can subvert federal and state regulations. For instance, the financial sector has to comply with the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley seeks to maintain accuracy and integrity of data presented in financial reports by instituting internal measures that ensure this information is verifiable. These controls are negated if the information isn’t properly set up and regulated within the IT Department of a company.
Businesses that manage protected health information must comply with the Health Insurance Portability and Accountability Act (HIPAA), as mentioned above. Like Sarbanes-Oxley, HIPAA seeks to control and protect the flow of electronic Protected Health Information (ePHI) and keep that information out of the hands of unauthorized users. Many popular apps and software lack the capacity to meet financial or health compliance standards, so seemingly harmless activities, such as accessing Facebook on a smartphone, can get your enterprise in legal hot water.
Preparing for e-Discovery
E-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Imagine your IT department’s confusion when they get a subpoena to turn over all of their information and data from a piece of software they didn’t even know your business was using.
It is difficult to determine the type of service level agreement (SLA) rogue deployments are based upon. When your company is audited, you’re legally required to send certain information within a given amount of time. your SLA states that the information will be given to you, but if for whatever reason you’re unable to gather data, your organization may be subject to legal, financial, and reputational damages. True preparation requires organizations to align IT and Legal, as both parties are subject to produce information during the e-Discovery process.
Defending Against Shadow IT
Independent usage of IT systems and applications will only continue to grow, forcing IT departments to address privacy and security concerns on an ongoing basis. Communication is key to ensure rogue deployments don’t put your company at risk. Your IT department, C-suite executives, and department heads should determine your organization’s technology needs and decide how your risks will be mitigated. It’s vital that you develop a clear, concise company policy on how to notify, purchase, and deploy new technology and determine what level of personal mobile and wearable technology usage your business permits in the workplace.
Additional Resources on This Topic: