If you’ve not yet come across shadow IT, think yourself fortunate that you’re reading this. Shadow IT is a rapidly growing risk to all businesses when it comes to IT continuity and security, heightened by the increasing ease of adoption of cloud services. It’s likely to be already happening within your business; you just may not be aware of it yet.
The term refers to IT that is not under the control of either an external or internal IT function. Take for example your marketing team, who want to gain a better understanding of the website performance by analysing visitors’ behaviour. Website analytics tools are readily available and free of charge online from software as a service (SaaS) providers. A trial of the software is quick and easily to implement without the need to go through purchasing or IT control, so Marketing decides to give it a try. With this decision, Marketing instantly becomes a shadow IT function.
So what’s the problem with this and how does this cause a risk to your business? The problem is that the shadow IT function doesn’t follow the risk mitigation procedures that your IT department would. IT functions put a lot of importance on the continuity and security of IT systems to ensure that business continuity is maximised. Executive teams go to great lengths to instil proper risk mitigation procedures with the likes of ISO 27001 information security management certification to demonstrate that they are managing the risk for both themselves and their customers. Measures such as assessing the availability and disaster recovery provisions of SaaS providers, checking how financially stable suppliers are, making sure security updates and maintenance are being performed to protect your systems. They may seem mundane, but risk mitigation procedures will reduce the risk of IT downtime. Proper risk mitigation and compliance strategies will involve thorough processes for:
- Assessing IT requirements at a business and departmental level.
- Agreeing whether the purchase is necessary or if there is already a tool within the business that can offer the same solution where the risks have already been assessed.
- Assessing supplier risk by reviewing financial stability, security, availability and functionality.
- Managing the implementation and integration process to ensure appropriate protection of all internal systems without creating vulnerabilities.
- Ensuring adequate security of data is in place e.g. where is the data held, are there any information security management certifications held by SaaS providers or data centres, what are the potential risks to your data?
- The ongoing maintenance and upgrades of systems to ensure security is maintained.
- Understanding disaster recovery and continuity SLAs. How many copies of your data are held, in what locations and what happens if the infrastructure fails?
- Getting your data back out should you decide to terminate the relationship or should your supplier go into liquidation.
With the increase in cloud computing and software as a service, IT availability becomes harder to manage. Even the public cloud offers temptation for shadow IT, with free 30 day trials. Putting data and systems into the cloud so quickly and easily bypasses all security measures and leaves companies vulnerable. We hear about IT systems going down but how much do we think about whether incidents could have been prevented by taking adequate risk mitigation measures? A recent survey of invocations at Plan B confirmed that 44% of IT recoveries in the past 12 months were due to ransomware attacks.
Shadow IT functions are unlikely to be fully aware of the security and IT continuity risks associated with purchasing and running IT outside of the proper protocols. With the introduction of GDPR in 2018, it’s even more important to ensure that your business remains compliant with the new regulation. Shadow IT functions can be one easy way to fall foul and risk financial penalties, as well as increase the risk of IT downtime in a business.