The average company uses 1,083 cloud services. However, of these, only 108 are known to the IT department, and 975 are shadow IT. This term refers to those programs, devices, and apps that are not authorized by the IT department.
This is why you need to formalize your approach to dealing with these unsanctioned pieces of software and inform users of their obligations and responsibilities. This article provides a step-by-step guide to creating this document, as well as sharing a shadow IT policy example to help you create yours.
What is a shadow IT policy?
Your shadow IT policy is a document that lays out exactly how shadow IT should be used within your organization. Depending on your business, sector, risk appetite, and IT procedures, you might choose to allow shadow IT to run wild, prevent any employee from using it at all or opt for measures somewhere in the middle. Whatever you decide, you need a clear set of rules to manage shadow IT that employees should be able to access and read at all times.
This document will also provide details on procedures employees should follow when they require a solution that IT has yet to authorize. You should inform them of their obligations, the reasons behind any shadow IT restrictions, and the sanctions for contravening the shadow IT policy.
Why you need a shadow IT security policy
There are many detrimental consequences that can befall your business as a result of unmonitored shadow IT. You can prevent many of these by formalizing your shadow IT procedures in a way that leaves no doubt about workers’ responsibilities towards these programs and personal devices.
Here are some of the potential risks of shadow IT:
| Consequence | Explanation |
| Data loss and data leaks | Sending business data through unauthorized apps that are not secured by the IT department can lead to the information being intercepted by third parties or even disappearing if an employee leaves without sharing their login details to the shadow IT solution. |
| Cyber attacks | Using personal email without security protocols or downloading infected programs are just two of the ways that shadow IT can lead to a costly and destructive cyber attack. |
| Compliance issues | Handling customer data in locations other than the dedicated and secure ecosystem controlled by the IT team can lead to compliance violations in one or more jurisdictions, causing the company to receive significant financial sanctions. |
| Loss of productivity | The use of shadow IT can silo data and prevent the organization from gaining a true picture of its work and results. This leads to business units working off disparate pieces of information and creates inefficiencies. |
| Wasted money | When the central IT department does not have oversight of the licenses being used in the business, there might be many duplicate licenses that could be shared between different departments. This is one example of a shadow IT cost, but there are many other categories and ways that the business could lose money due to shadow IT. |
Steps to creating a shadow IT policy
1. Determine the risk level and categories
Looking into your current processes, you can determine which categories of risk relate to the use or potential use of shadow IT within your organization. The categories will be similar across the majority of businesses, including financial risk, operational risk, budget risk, and of course, information security risk.
However, the risk level within those categories will differ from business to business. Analyze your organization and assess the level of each risk category relating to the use of shadow IT. This will help you formulate your own rules and restrictions and create a document that prioritizes the exact elements of an IT policy that will protect your business.
2. Outline employee responsibilities
Employees are the people bringing shadow IT into the organization. So, they should be the people that you address directly with this policy. The first aspect to acknowledge is that employees rarely use shadow IT maliciously and often do not understand the detrimental effects it can have on the business.
If you have never had a shadow IT policy before, now is the time to put in place rules and detail employee responsibilities, backed up with training and information about the risks.
Implement a course of action in case an employee believes they need a certain program and there is no current sanctioned solution.
If you allow some shadow IT, you might want to request that users begin storing passwords that they change regularly or that they use multi-factor authentication, for example.
3. Draft IT department responsibilities
You need your IT department to prioritize those business-critical functions that should under no circumstances be carried out using shadow IT. This may include, for example, dealing with customer information databases, due to the sensitive details held on record and the need to ensure absolute security.
This helps you secure the processes that could cause the most damage in case they are breached or interrupted due to vulnerabilities in shadow IT.
The policy might also spell out that the IT department is responsible for training employees in relation to shadow IT use and remaining up to date with the most common threats. You might also include a clause that requires IT to engage in the process of incorporating new software solutions at the request of employees.
4. Determine procedure for requesting new software or hardware
One of the major reasons behind employees utilizing shadow IT is the fact that they feel there is no suitable official solution to their needs. Your policy should set out exactly how they go about requesting new technology to help them complete their work.
Furthermore, there should be a commitment that they will receive an answer on whether you will authorize their request within a reasonable timeframe. Another reason employees give for seeking out their own shadow IT solutions is that the approval process with IT takes too long, and they need the tool to be in place immediately.
5. Discuss monitoring and accountability
There should be a system in place for monitoring your network to identify shadow IT before it causes problems for the business. Using a platform like Vaultry gives you control over your systems. It uncovers unauthorized applications like cracked software and unapproved freemium programs that pose serious risks to your company as soon as someone accesses one with a device connected to your network.
You will then want to create a procedure for what happens once you discover shadow IT. One way to approach this is to immediately remove the offending software or hardware as a priority, but after that, what do you do about accountability? Do you hold the employee responsible for contravening your policy? These are the issues that you need to make concrete in your policy on shadow IT.
6. Implement bring your own device (BYOD) guidelines
The rise of working from home and the ubiquity of smartphones and tablets means that it is almost second nature for many employees to use their devices for work purposes. However, with often limited security protocols on these devices and the risk of using business data inappropriately, you should make sure you cover BYOD matters in your policy.
There are some benefits to BYOD, including convenience, but there are dangers as well, such as vulnerability to phishing attacks and the device being outside of your security environment. This is why you need to choose the route that you want to take and set guidelines for employees to ensure you stay within your safe zone.
7. Describe violations and penalties
There should be a clear section of the policy relating to what constitutes a violation of your shadow IT policy and the penalties for doing so.
Once you have provided training on the dangers of shadow IT and created a system for requesting IT solutions, you can show that you have given employees every opportunity to do the right thing, as well as telling them why they should remain in accordance with your rules. If they choose to ignore the policy, they need to know that there will be repercussions proportional to the potential risk to the organization.
Shadow IT policy examples
Here are some examples of shadow IT policies used by businesses within their organizations:
- Tech Pro Research created this document. It explains shadow IT to employees and the reasons behind its use before laying out the company’s policies for behavior in detail.
- The United Nations Population Fund (UNFPA) produced a much more brief policy that sets out only the main points relating to the use of shadow IT.
FAQ
Can shadow IT be safe?
Shadow IT is sometimes allowed within organizations, as it does provide simple solutions and convenience. However, as strict as usage policies might be in a business, allowing shadow IT can still not be classed as completely safe.
How does shadow IT create cybersecurity risk?
Shadow IT creates a cybersecurity risk by adding devices and programs with more lax security inhabit your network. This creates a vulnerability. There is also the risk of phishing and cloning that can lead to hackers accessing your systems or viruses taking hold.
What is a shadow IT expense?
A shadow IT expense could refer to the cost of making right a cyber attack, a fine for breaching data compliance and security breaches, excess licenses being bought in your business, or unused licenses for shadow IT programs.
Conclusion
A shadow IT policy is essential for helping all internal stakeholders understand their responsibilities to the business with regard to programs and devices they use for work. It should cover why they shouldn’t use such programs, whether they can use their own devices and how to request access to additional programs that they need to use for work. We hope the above steps and shadow IT policy examples help you understand what should be in your document.
If you are looking for a monitoring solution to identify shadow IT on your network so you can remove it immediately, get started with Vaultry right now.
