Shadow IT might be the cause of a security breach at many levels, including data breach through an insecure or legacy solution and up to compliance breach due to uncontrolled data movement. In 2019, this concept was in the top 7 list of IT concerns for US companies. Hence, in most cases, shadow IT is dangerous and MSPs should do their best either to eliminate it or control it. However, there are a couple of surprising upsides for companies implementing shadow IT.
So, let's dive in to discuss massive risks spiced with minor benefits.
What Is Shadow IT?
Shadow IT is the process of adopting IT solutions in the organization - whether software, cloud, or hardware - without aligning these solutions with the official IT strategy of the organization. In other words, any IT-related move that system administrators, the IT department or the managed services provider do not know about. Such moves include:
- Any applications installed or used without the MSP’s or IT department’s knowledge, such as conference apps, time-tracking solutions, collaborative solutions, or LOB software, to name a few examples.
- Changes in the IT network, like new printers, Wi-Fi routers, etc.
- Any unapproved cloud applications that are accessed from the corporate network using corporate credentials.
- Accessing the corporate network or corporate applications from insecure locations using remote-desktop protocols.
- Unapproved bring-your-own-device policies. Once end users take their phones and tablets home and try to access corporate data using these devices, that becomes a security concern.
The Challenges of Shadow IT for MSPs
If you ever need to discuss your concerns about shadow IT with your clients, here's a list to help you:
- Security. There are numerous possible security issues tied to shadow IT, such as: the dangers of unpatched legacy systems, whenever they appear on the network; unauthorized application access to the corporate network; data from untrusted apps that users might install or use; and security holes that are left by users who install solutions without a deep technical understanding of what they are doing.
- Collaboration. When different departments within one organization are using different collaboration tools, including applications for meetings, sharing files, managing visual and other assets, there will inevitably be a mess once these departments need to communicate with each other.
- Standardization. Standard operating procedures, applications, and tools are the basis for streamlined and thought-through operations, which is, in turn, a basis for the overall success of the given business. Moreover, if your clients start using different hardware, you will end up with more overhead in supporting that hardware.
- Compliance. Some unapproved IT policies, like bring-your-own-device, may potentially be a compliance danger. If your client falls under any compliance, such as HIPAA, FISMA, GDPR, or other, you should pay additional attention to the devices that end users are using to access corporate data.
Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:
- a ready-to-print PDF file
- an Excel file to help create a customizable assessment resource
The Benefits of Shadow IT
Surprisingly, there are some benefits for organizations who permit this or that form of shadow IT. For example, whenever users try to solve their issues with new applications and solutions, they become more tech-savvy, so that the number of support calls might decrease slightly. (On the other hand, the increase in support calls regarding the unsupported applications will counterbalance that.)
One real benefit to this situation is that organizations might sometimes find a better solution, especially in the case of LOB applications which will help their business.
How MSPs Can Manage Shadow IT
Here are the best practices in avoiding problems and managing your clients' shadow IT activities:
- Provide end-user training. While you may already provide your clients training courses on basic security, solutions, and other topics, include a section about the dangers of shadow IT, such as data breaches, downtime, and compliance issues.
- Scheduled audit. Every once in a while, you should carefully inspect your clients' premises, including their network maps, hardware, and application usage.
- Monitor suspicious connections. Sometimes, your client's end users might want to access their corporate data from the outside. You should carefully monitor all the incoming connections to spot any build-your-own remote access solutions.
- Mobile device management. If your client’s operations fall under any compliance, you should implement mobile device management software to reduce the chances of unexpected and unapproved data flows.
Find an alternative. Instead of blocking all unwanted applications, try to help your clients to find and incorporate tested and safe applications to fit their needs.
Make changes to your SLA and MSA. You should explicitly notify your clients that they are fully responsible for any security breaches that happen due to the use of shadow IT applications or hardware.
With the growth in the number of web-based and cloud-based applications aimed at solving granular issues, there will be an inevitable growth in shadow IT. So, the time is right to create a comprehensive policy to reduce the possibility of downtime, security breaches, or human failure due to the use of unsupported, untested, or simply build-your-own solutions.