“Shadow IT” no longer exists in the shadows. The advent of Bring Your Own Device and demand from employees wanting more accessible applications has created a surge in unsanctioned apps in the workplace. Employees rely on apps such as Box, Dropbox, and Workday for business critical functions, as opposed to applications provided by the organisation, as they often offer greater simplicity and improve productivity. This brings significant difficulty in maintaining a secure IT environment.
Traditionally, IT departments tend to block unsanctioned apps, but a combination of employee frustration and the sheer number of these applications has made this unsustainable.
You need to address “Shadow IT” in a strategic, proactive manner, saying ‘yes’ to employees using their favourite cloud apps, while protecting the organisation from data loss and network threats.
We have formulated seven ways to protect your IT structure, whilst giving your employees freedom around the apps they use:
1. Track your IT environment:
Identify “Shadow IT” by constantly keeping an eye on your IT environment to check for new and unknown devices by cross-comparing previous scans. This will provide information about where the new devices are and what type of device they are.
2. Evaluate app risk:
By discovering the cloud apps in your environment and evaluating their risk against an objective registry, you can comfortably deploy and manage low-risk apps. For higher-risk ones, you will need to evaluate how these apps are being used in your enterprise. If they deal with sensitive data, you may need to limit certain activities (e.g. share) across all of the high-risk apps.
3. Usage monitoring:
Understand what people are doing with the cloud apps within your organisation. For heavily used apps, you need to identify the activities (e.g. sharing, downloading) and assign each activity a risk level. Once you identify the apps which employees are using to perform high-risk activities, you need to set policies to block any risky activity. You can also set a baseline to detect anomalous behaviour, such as excessive downloading, spikes in usage and logins from unusual locations.
4. Block activities, rather than apps:
A blanket approach to blocking apps is unrealistic and prevents workers from true productivity gains. Rather than blocking apps en masse, you should look to analyse the activities which pose the greatest risk (e.g. sharing data outside the company) and block them specifically to mitigate risk. Do this for both the apps you manage and those you don’t.
5. Educate co-workers:
If you have to block certain activities, be sure to tell the users what has happened and why this particular action has been taken. Help them understand the risk and suggest a lower risk option. By educating them about policy enforcement it will encourage them to use their favourite apps safely and address the risk together.
6. Put in place guidelines around cloud apps:
To meet the needs of your users, you can create and distribute a list of approved applications. This would reassure the various departments purchasing the apps that their introduction would not create security issues. This clear communication shows workers what is allowed, thus preventing the risk of unsanctioned apps. Also, IT departments should have a process in place to approve or disapprove potential new applications required by departments.
7. Offer a substitute:
Sometimes particular apps do put the business at risk and require blocking. If this is the case, you can suggest alternative apps that share similar features but pose less risk to the business. Inform staff why the app puts the business at risk and offer a solution – acting as a problem solver rather than obstacle. If organisations don’t provide a trusted solution, employees may find their own way to work more efficiently by using products beyond IT’s control which can put the company at risk.
These sanctions and measures will enable you to take a strategic approach to consumer cloud adoption, meet the needs of users whilst keeping the organisation secure and in control. For further information and greater insight.