What is Shadow IT and How to Manage it in G Suite
Shadow IT is, in essence, usage of software, hardware, systems, or applications that weren’t authorized by your IT department.
13:36 11 May 2020
In most cases, it happens without any bad intent from your employees’ side - rather, they just want to be more productive and get the job done faster.
Shadow IT has been a problem since the appearance of personal devices at work (aka BYOD - Bring Your Personal Device) and the popularisation of cloud services like Dropbox, Google Drive, or Slack.
While Shadow IT itself is not the bad guy here, its uncontrolled usage can lead companies to destructive consequences. Analytics from Gartner predict that one-third of all successful cyberattacks on enterprises will be executed using loopholes provided by shadow IT.
If you don’t want to become a part of this statistic, you’d better start acting quickly. Here is our take on how you can manage the shadow IT problem and even benefit from it!
1. Backup your data
It may seem like an unobvious step when dealing with shadow IT. But it is actually a necessity for many reasons even beyond the scope of threats presented by shadow IT.
One of them is data loss. If a third-party application or software installed by your employee is run by a cybercriminal, it can easily contain ransomware. Ransomware encrypts all files on the infected device and cloud folders that are synced with it. And if those folders are shared with other users, this can lead to a serious disruption of the work process and money losses.
If the information is critical and you don’t have a backup, you’ll have to pay the ransom, which is $40 000 average. There is no guarantee you’ll get your data back, though. If your main data management suite is G Suite, we advise you to use the G Suite backup & restore tool to protect your data.
2. Encourage employees to try new apps openly
Notice: we didn’t say “punish” for shadow IT. Because that is what many companies do (unsuccessfully). And yet, forbidding usage of third-party software, programs, and applications and punishing for that won’t benefit the internal atmosphere and will definitely affect the productivity of your employees.
The thing is, in most cases, the main intent of the employees who use shadow IT is to get more work done faster and easier. Basically, if it weren’t all the risks coming with it, shadow IT would be a life-saver for many companies.
There are a few reasons why it is so widespread, and one of them is the management, and IT usually doesn’t speak about it much. Of course, a CISO can say that employees should only use some programs that are approved by the IT department, but not many will explain why. Therefore, in case of an emergency, it is much easier for employees to opt for some unapproved but much faster service with a thought that no one will find out anyway.
That is why you don’t need to punish your employees - rather, you need to encourage them to test new applications and services (except for those that you know are risky). For example, an employee performing a task that requires some design app, and the one that is approved is not the best suite. Instead of solving the problem quietly by looking at the alternatives and starting using them right away, they should send it to your IT department. IT will check if the app is secure enough and come back with the answer.
Of course, such politics needs to be incorporated into your routine, and require to broaden your IT’s purview, create a structure under it. There are services like Spinbackup.com that help you to incorporate this quick app monitoring without any time and energy investments. It helps your IT department to scan the applications that are sent to them in a minute or less.
When established, this approach will not only save your company from the shadow IT risks, but will also benefit your company in the long run.
3. Create an ever-growing list of approved and blacklisted alternatives
This is the next logical step that is a must-do for every organization. The main reason for testing all those applications and services is not to solve the urgent problem quickly, but rather to create a comprehensive list that will make this process unnecessary. Not only will this list help you to save time by knowing if the requested application is secure, but it will also be a source of the alternatives. Some of your workers may use BYOD (Bring Your Own Device) for work and they prefer to use some specific services. You can test those services and add items to your list.
This list should be easily reachable by your employees, so they can always address it if needed. At some point, this list will become more and more sufficient, and your workers won’t need to seek unapproved third-party services to get the job done.
4. Train your employees
Only one wrong action from the side of only one employee is enough to put all data security and compliance in jeopardy. And the more employees work in your company, the higher the risk of being exposed to data leaks, data losses, and compliance violations due to your employees’ carelessness.
It is not the malicious programs itself that do all the damage - it is end-users that are not informed about the risks and possible consequences for the organization. Your workers must be aware that they can’t share sensitive information via Google Drive or that they can’t provide the unknown application with access to the folder that contains all the presentations. They must see what happens with companies whose data compliance is violated, or when they click on a phishing email.
Incorporate this rule, make cybersecurity training obligatory for every newbie, and you are much less likely to experience a data breach or unauthorized shadow IT usage.