In this week’s episode of #CoffeeWithKampas, EMPIST Founder & CEO John Kampas will be discussing the rising risks of Shadow I.T. Shadow I.T. refers to any technology that is used by staff but is NOT approved by the company. Using technology that is not explicitly approved poses a great risk to any company, mainly as it pertains to security, documentation, and controls.
Hi, this is John Kampas, Founder and CEO of EMPIST. On today’s coffee with Kampas, I want to talk to you about the rising risks of Shadow I.T. Shadow I.T refers to any technology that is used by staff but is NOT approved by the company. Using technology that is not explicitly approved poses a great risk to any company; mainly as it pertains to security, documentation and controls. When technology is approved at the company level, it typically means that I.T. has some sort of administrative control over it. This is crucial because that control can be used to audit and protect any information that is associated with that technology.
These administrative controls could include authentication, authorization, data leak prevention, backups and auditing. Some or all of these controls may be missing if you use your own technology in the workplace. The risk of a cyberattack and compliance violations increases significantly when your I.T. team doesn’t know where your data is stored or who has access to it. You also might not have the knowledge or expertise to properly protect the data.
It is estimated that Shadow I.T. accounts for 30 to 40 percent of technology spend at large enterprises. SaaS and cloud-based products have made it very easy for users to sign up for a trial or monthly subscription and begin using the technology immediately without notifying the company.
So, what can you do about this? I recommend taking the following steps to mitigate the risk of Shadow I.T.
First, create a company policy outlining acceptable use of technology and systems. Make sure the entire staff is aware of this protocol.
Second, provide adequate technology and systems for your users to conduct their job. If they have the tools they need, they have no reason to look for outside technology.
Third, educate your staff of the potential risks of Shadow I.T.
Fourth, establish a process for staff to make recommendations of new technology.
Lastly, although this is reactive, review your bank and credit card statement for Shadow I.T. suspects. Typically, these will not be large purchases so they could fly under the radar.
Before using new technology in the workplace, make sure you understand the terms of service and data protection policies. You should always seek approval from the company before you purchase the new technology, even if you are just considering a trial. If you don’t, you could be exposing the company to major risks and could be in violation of internal and external polices.
If you need any help with identifying and protecting your company against Shadow I.T., please don’t hesitate to contact me directly.