It all started with a home-based server. A home-based server that carried state secrets.
Up until the most recent occupant, few others in the position of Secretary of State had used the official state.gov email address to conduct government business. This was pretty typical of the holders of this office. However, most former Secretaries of State didn’t rely on a private server, hosted in a Chappaqua home, to conduct official government business.
In 2015, when Clinton was being investigated for a different matter, congressional investigators noticed that she had never sent any emails from her official email account. This proved to be a problem since many of the emails contained information vital to national security. While the State Department’s official server was secure, the private email and server did not have the same level of security and were vulnerable to attacks. Since then, Clinton has unwittingly become the face of Shadow IT.
Right now, most businesses probably aren’t sharing state secrets, but information that’s just as vital to the company is flowing in and out every minute, often on devices and sites that aren’t IT-approved or that IT has no knowledge of. This trend, known as shadow IT, is the use of hardware or software that is not approved by IT for company, or in Clinton’s case, government use.
Why is Shadow IT a “Thing”?
It’s not that employees want to use apps, devices or programs that bypass IT, it’s that they’re just trying to get their job done. Often an employee is given outdated tools that make certain tasks more onerous than they should be. It’s not IT’s fault either — they may have a slow approval process or don’t have it in the budget to be constantly tracking every new technology that employees could be using. For more detail, check out Curtis’s post on why employees turn to the dark side of shadow IT.
Businesses are starting to feel the affects of shadow IT. According to a study done by Cisco, IT departments think their companies are using somewhere around 51 cloud services. But when asked, respondents of Cisco’s study owned up to using more than 730 different cloud services.
IBM released a Cost of Data Breach study in 2015 that found that, all together, data breaches can cost a company an average of $3.8 million. Broken down, that’s about $145 to $154 per sensitive document or file.
Identifying Shadow IT
There is a Catch-22 when it comes to shadow IT. Even though IT does not permit the use of outside apps or programs, they’re still responsible for what happens when employees do go outside the business for file sharing or management. It’s up to the IT department to monitor and detect usage that may harm the company or lead to a data breach. So, what should IT departments do? Check out the suggestions below.
1. Monitor Bandwidth
With a good bandwidth monitoring tool, you should be able track more than just performance. Start looking at the traffic from devices and web applications. If you find that certain employees are hogging bandwidth more than others, even though they should technically be using the same software or tools, it’s likely they’re using outside applications or cloud providers.
On a similar note, you should measure file sizes as they leave your network. SmartStats, a visual analytics tool for certain SmartFile plans, allows you to see the sizes that are being transferred.
2. Auto Discovery
Auto discovery helps to find new devices that are plugged into networks by pinging them. If it’s a smartphone, it’s not so much the device that will cause the problem but the apps on the device. Who’s using an unauthorized device and for what reason?
3. URL Filtering
Cloud services use a web-based interface to access their services. Try using a URL filtering tool to track all of the major cloud service websites employees are using.
You can start blocking sites that provide the most risk, but know that employees may just switch to using a mobile device if they can’t access it on a work computer. The more IT departments attempt to lock down usage, the more likely employees are to seek outside resources.
4. DLP and DAM
Using a cloud Data Loss Prevention (DLP) tool can help you scan inside of cloud files to find if sensitive company documents are vulnerable. Database Activity Monitoring (DAM) tools can help identify large data dumps to cloud providers that aren’t approved. Most, if not all, of these tools come with activity alerts that can prove helpful in monitoring.
5. Outsource It
If you don’t have the time or ability to track shadow IT, you can outsource it. Several companies have popped up in response to the shadow IT threat. CISCO has created a service called Cloud Consumption that tracks all cloud site usage.
IBM released the tough-sounding Cloud Security Enforcer, which detects cloud apps and shadow apps. Another product, Skyhigh, monitors usage in several places, including Salesforce, Office 365, Box, Dropbox and Google Drive.
6. Start Talking
It’s unlikely that IT will ever completely eliminate shadow IT usage. But having a good rapport with employees can be beneficial. First, find out why employees are using non-approved apps and programs. Is it cutting their work time in half? Does it have a better UI or response time? There’s most likely a good reason they’re using it.
If you take the time to explain to them why and how their usage is affecting the company, they may stop. You may also find some valuable programs that would be worth looking into. For instance, if your employees love to use cloud sharing products, find one that has the ease-of-use of a consumer cloud product with the security and protections of an enterprise-level product. Eventually, you may be able to curtail some of the effects of shadow IT and make employees happy and productive without putting your security at risk.