Have you heard of Shadow IT? Do you worry about it?
Many organisations have a defined IT policy and processes surrounding it. They may outsource provision to a Third Party, or they may have their own IT department, even if that’s just Billy sitting in the corner, who is totally self taught.
The organisation may have a standard build for all their equipment, and may use only one brand of equipment, which should make managing security risks quite well defined and limited.
However, there may be individuals or whole teams that don’t use the company standard. There might be an MD who really wants to do everything on a tablet device, but the company has a strict “no tablet” policy. There might be a team that installs its own network connection “just in case the company one fails”. And then there’s George in Marketing who prefers to use his Mac to the standard Windows machines.
The MD goes ahead and connects her tablet to the corporate network. The team with their own network connection leave it live and accessible 24×7: there’s no firewall and no way of blocking traffic coming in or going out. George brings in his own Mac and plugs it in to the network. None of these involve the IT or security teams, consequently the risk is unknown and therefore not managed.
These are all examples of Shadow IT – the unknown equipment attached to the corporate network which has little or no security controls in place. Many organisations have a problem with the proliferation of Shadow IT devices.
I think that we’re rapidly approaching – or may already have passed – the moment when we have to stop thinking of it as Shadow IT, and makes sure that our controls can take the plethora of unofficial devices and configurations.
For example, it may be prudent to create a kind of “internal guest network”, for non-standard / uncontrolled devices. This could be easy to connect to but provides an additional layer of control. Using some kind of Mobile Device Management (MDM) solution allows you to provide some services to personal mobile devices, while also giving the ability to remotely wipe the data on them if necessary.
I think we need to be having that conversation in the organisations we work in or encounter. Rather than calling it “rogue” or Shadow IT, call it uncontrolled then work out how to control it.