Small businesses often don’t have the capacity of larger companies to provide employees with multiple applications and software and oversee the use of those platforms and services. Some (usually well-meaning) employees may decide to work outside of your company’s parameters, using unapproved technology that may not be in your company’s best interests. This introduces shadow IT risks that small businesses—and companies of all sizes—need to monitor and mitigate to prevent security breaches.
How Shadow IT Risks Develop
In short, shadow IT can be any technology used in your company that isn’t approved, sanctioned, or under the control of your company. This technology might include the following:
- Cloud and software solutions; and
- Hardware and infrastructure.
Companies that allow bring your own device (BYOD) let employees use their own laptops, tablets, and smartphones for business, introducing risks of shadow IT. Because employees are more comfortable on their own devices, they are likely to install or access unapproved tools for personal and business use, increasing the company’s risk of a data breach. When the COVID-19 pandemic increased the number of remote workers, it also increased the use of tools outside of a company’s approved list, leading to additional shadow IT risks.
BYOD policies open a door to shadow IT threats, but companies using these policies are not the only ones at risk. Any type of technology used in your company that employees download, buy, or use on their own can create risk, including these:
- OpenOffice, a free software suite that mimics Microsoft Office;
- Google Drive, which includes free software similar to Microsoft Office tools;
- Dropbox, Box.com, and other cloud programs for storage and file transfer;
- Zoom, Skype, Google Meet, and other online platforms for meetings;
- Collaboration tools such as Evernote, Asana, Trello, and Basecamp for sharing work-related information;
- Encrypted communication and texting apps like WhatsApp, Telegram, and Signal; and
- Outside email services, such as Gmail.
Unless your company has a paid subscription to these types of services, use of the free version or their own paid versions by employees can cause problems.
Problems Arising from Unapproved Technology Use
The use of unapproved technology and tools by employees may be a response to a lack of approved IT resources. When company resources don’t do the job that’s needed, an employee may venture outside of the company’s IT offerings. While it may work for the needed purpose, security breaches can allow access to company data and systems via an unsecured app or tool that gains access to a company network.
Business use of assorted applications and programs can also harm productivity. For instance, if the company standard is SharePoint, but one or more employees start using personal Dropbox accounts for confidential file sharing, coordination becomes difficult both inside the company and with outside parties such as customers and vendors, especially if the outside parties don’t use the same technology.
Unapproved technology also threatens regulatory compliance. A company mandated to observe specific requirements for data management and storage may be subject to fines and discipline as a result of data mismanagement or a security breach.
In addition, if your company becomes involved in a legal investigation or litigation, shadow IT can make discovery difficult. Businesses have responsibilities to manage electronically stored information (ESI). If business data is stored where IT or a legal team can’t access it, discovery may take more time than anticipated or you may not be able to provide required information.
Consider this scenario: an employee uses a personal Google Drive account for storing customer contracts and other documentation. If the employee leaves or is fired, the company may have difficulty retrieving or preserving the information stored in the account.
In addition to company data access and control issues, shadow IT also increases the risk of cyber attacks. Hackers can easily exploit lapses in security on unapproved apps or connect to a network through Wi-Fi to gain access. It may also be difficult to apply security patches, increasing the risk to company systems. When company data is located outside of a company’s security boundaries, security is nearly impossible and data and systems are vulnerable.
A Shadow IT Assessment: Managing IT and Mitigating Risks
It may seem simplest to ban all non-company resources, but chances are it won’t work. Employees are likely to use unapproved apps and services despite company policy and chances are you won’t be able to stop this practice completely.
One option for managing shadow IT is to use detection programs that monitor your company’s network and clients. Programs that detect unusual activity, downloads of unapproved software, and other potential red flags can pinpoint shadow IT risks and tell you who is using them.
Once you’ve discovered what your employees are using, consider establishing a shadow IT security checklist to classify the different types of technology:
- Approved technology;
- Not approved but benign; or
- Not approved and dangerous.
Employees using shadow IT should be approached in a non-confrontational fashion. Asking why this technology is being used, for how long, and at what cost will help companies understand the employee’s motivations. Some tools may be approved for use after these conversations, while others may require substitution of sanctioned tools. The process of discussing the unapproved technology with an employee also presents an opportunity to explain why certain tools are prohibited from business use.
Shadow IT: Are There Benefits?
Despite the risks, shadow IT can also offer benefits for small businesses. Employees who download and use unapproved tools are usually just trying to get their jobs done more effectively and efficiently. Most aren’t aware of shadow IT risks or the potential harm to the company. Discovery of the use of shadow IT presents an opportunity to assess unmet needs.
In this example from the Harvard Business Review, a senior employee paid for a customer relations management (CRM) system that reversed a revenue-losing trend. In this case, management failed to provide a requested solution, and the VP did what she felt was needed. The program used increased revenue by one million a month. This example underscores the need for companies to listen to employees and provide them with the tools they need or find other solutions to avoid shadow IT threats.
Shadow IT risks often develop due to a lack of needed resources. Companies should encourage open communication between management and employees, then work to find solutions that mitigate risks. Businesses must also reinforce with employees the importance of security, including strong passwords and other measures that reduce cyber security threats.
Combatting Shadow IT Risks In Your Small Business
A small business can’t afford to take risks with its data and information. Shadow IT risks can be difficult to mitigate, but the consequences—exposure to hackers, malware, and viruses that can shut down operations and be extremely costly—merit significant effort to work with employees to mitigate these risks.