Shadow IT: When Employees Go Rogue with IT Devices


Shadow IT?  Gartner defines Shadow IT as:  IT devices, software and services outside the ownership or control of IT organizations. Anyone who has worked within a medium to large enterprises has encountered instances of Shadow IT. Indeed, highly regulated industries and sectors have come to discover when employees step outside of the protected confines of an IT supported infrastructure to a seemingly more process efficient environment, albeit less secure, they cause compliance headaches.

We’ve been talking about Shadow IT for well over ten years, yet companies continue to battle the reality; employee’s and their urge to work in as frictionless environment and manner as possible, continue to run counter to information security norms. Clearly this phenomena is much more prevalent in the unclassified environment than the classified environments over which the Facility Security Officer (FSO) and his team have their remit. That said, there are many lessons to take from the unclassified environment.

social media and shadow IT

Social collaboration serves accentuates and compounds the effects of Shadow IT. CIO Magazine quotes the CIO of Portage County, Ohio, who describes with precision the risk when employees “go rogue” and the enterprise loses access to important records. With the rise of Microsoft’s Yammer and the broad adoption of Slack as team messaging and archiving solutions, it is no surprise that all teams want those abilities within their suite of tools, even if they operate within a closed or restricted environment.

When Shadow IT is detected, what is the solution?

Dig in and research. If client materials which belong on the highly protected side of the equation, also known as the “high side” are being revealed, then there is a good deal of paperwork awaiting the custodian of the data explaining the compromise. On the other hand, it may be possible and preferable to take the course correcting action of ensuring no classified materials are being exposed, and then determine if the collaboration tool can be used on-premises. And within your own security protocols.

Department of Transportation’s lesson for all

The US Department of Transportation recently rolled out Microsoft Office 365, and according to CSOOnline, received a lesson in Shadow IT.  In their roll-out, they mapped their entire network to ensure the arrival of the new services would include all. What they found as they mapped their network was the field elements were full of technology infrastructure add-ons, which were undocumented. They also discovered that the furthest outpost had the same access as all others. As they proceeded in the upgrade, the then CIO pushed down a change in process and procedures to all elements: “The days of ad hoc, unsecured and unmanaged network expansion were over.”

Know your network, know your data, and know your applications and people is the key to keeping a finger on Shadow IT.  And make sure your policies, procedures and resources are making success possible and not constipating your workers.

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in Cybersecurity