Overcoming the Shadow IT Catch-22

Trying to prevent shadow IT from sweeping through your organization is like trying to protect your sand castle from the waves when high tide rolls in—it can’t be done. Employees expect to be able to work wherever and whenever, and shadow IT technologies make that possible. The IT department no longer has domain over which devices and applications employees use to access and share files, which means it also no longer has complete governance over its sensitive data such as personally identifiable information (PII) and intellectual property.

Is all hope lost for the IT department? It doesn’t have to be. By developing a secure file-sharing policy that balances simplicity and security, IT departments regain control of their organization’s most valuable digital assets, neutralizing the impact of shadow IT and mitigating the risk of a data breach or compliance violation.

Unless you’re delusional, you’re well aware of the fact that shadow IT presents a significant risk to your organization. The allure of shadow IT is undeniable. Personal devices loaded with consumer file-sharing applications such as Dropbox, Evernote, Google Drive and others enable employees working remotely to quickly and easily share corporate documents. What these apps offer in terms of functionality, they sorely lack in terms of enterprise control facilities such as audit abilities and data target tracking. Gartner predicts that by 2020, one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources.

Until the technology companies behind these consumer file-sharing applications adjust their product road maps to comply with your security policies (don’t hold your breath), it will be your responsibility to protect your organization’s data from shadow IT. So, as an IT leader, you need to identify a secure file-sharing solution that’s so easy to use it will see wide adoption, ensure cloud storage compliance and significantly mitigate—if not altogether negate—shadow IT risks.

The IT department, at a minimum, must have in place a CISO dashboard that provides the ability to monitor which employees are accessing, modifying and sharing which files with which colleagues, whether that colleague is inside or outside of the organization. Would you want to know why Mike, a manager in your finance department, is downloading product marketing files? Or, worse, sending files containing sales forecasts to an email recipient outside your organization?

Also, the secure file-sharing solution you choose should offer enterprise content integration with your existing on-premises content systems such as file shares, SharePoint and OpenText, as well as provide cloud storage compliance with systems including Box, Office 365 and OneDrive for Business. That way, all the information that’s stored across your enterprise, both on-premises and in the cloud, is easily accessible and shareable. The easier you make it for employees to find and share information with trusted partners outside your organization, the better success you’ll have in minimizing shadow IT risks.

The secure file-sharing solution also should deliver security integrations with the many technologies that protect your organization, such as advanced threat prevention (ATP), data loss prevention (DLP), two-factor and multi-factor authentication (2FA / MFA) and ensure all file-sharing activity feeds into your SIEM solution. That way, your secure file-sharing solution is compatible—and therefore compliant—with your existing security and risk management policies.

It begs mentioning that deploying technology that is designed to curb shadow IT use is only as good as the people using it. Therefore you must educate your employees about the risks of shadow IT, namely public cloud services, that might leak files or admit malware to the network, and how secure file-sharing helps mitigate the potential damage a data breach can cause.

Remember that your employees are always looking for ways to get their work done more quickly and efficiently. That means they will not always consider the security implications of the shadow IT technologies they choose. If you can walk the line between enabling more secure file-sharing and better collaboration, you will position IT as a business enabler, smashing that tired stereotype of IT as the obstacle to employee productivity.

Featured eBook
The State of DevSecOps

The State of DevSecOps

For years now, IT’s mantra has been “move quickly and break things.” To increase agility, companies adopted innovative and quick development practices. Great redesigns took place in the wake of DevOps. However, in this rush to implement forward-thinking practices, many teams eschewed security. No longer can institutions disregard security requirements within their DevOps environment. The ... Read More
Security Boulevard
Cliff White

Cliff White

Cliff White is Chief Technology Officer (CTO) at Accellion. Mr. White joined Accellion in 2011. He has more than 15 years of experience in the software industry and web-based technologies. He has also managed global engineering teams and advised C-level executives on software product engineering and best practices. Before joining Accellion, Mr. White developed highly scalable software for imageshack.com, an online media hosting company and one of the most visited websites on the internet. Previously, he led the engineering function for rentadvisor.com, a peer review and recommendation website for rental properties before it was acquired by apartmentlist.com.

cliff-white has 16 posts and counting.See all posts by cliff-white