This article was originally posted on the American Society of Association Executives (ASAE) website.
We’ve all done it. From using Google docs at work when Sharepoint is the approved document sharing tool, to using Dropbox instead of the approved storage solution, the use of “Shadow IT” is a growing issue in today’s associations and nonprofit organizations. In fact, Symantec found that organizations typically have 1,232 apps on their extended network, most of which were adopted without IT approval or oversight. And, 72% of IT executives admitted that they were unsure of how many Shadow IT applications are being used in their organization.
Whether it’s a personal preference for specific tools or a lack of training or access, staff tend to use the tools that make them feel the most comfortable, despite the effects this can have on an organization.
User comfort with certain products comes in many forms including familiarity, ease of use, speed and accuracy. Employees can feel frustrated and overwhelmed with the task of learning how to use a new tool and the training and learning curve that often comes with it. While some technology can seamlessly be integrated into organizations, other times users may feel the burden of these new processes. This can push employees into using Shadow IT – turning to their preferred free or low-cost tools instead of solutions provided by IT.
Unfortunately, these tools or programs might not always be the most secure and can leave data skeletons in your association’s closet – from critical member data to employee information – that are vulnerable to threat actors. Gartner predicts that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources. When employees choose to use tools outside of what IT supports, it creates more weak points for the organization’s security. If your organization’s security team isn’t aware of all the additional tools being used, they cannot effectively protect employees and the association against potential threats.
When it comes to Shadow IT, what you don’t know can hurt you. Here are a few ways today’s associations can mitigate the challenges it brings.
To better safeguard your constituents’ (and your own) data, it’s imperative that everyone from senior leadership all the way down to new hires are on the same page. Employee training on cybersecurity best practices is crucial in helping to protect an association’s assets – especially when Shadow IT is in play.
By educating employees on how and why Shadow IT can be detrimental to an organization, as well as common threats to look out for, companies can better safeguard against those threats. For example, a single phishing email to an unsuspecting employee or a Google doc holding intellectual property that falls into the wrong hands can be harmful to an association. Ongoing employee training helps to strengthen both their knowledge of potential threats and the use of best practices to avoid them.
Build Trust and Ensure Open Communication
Open communication is key to tackling Shadow IT in any organization. Security teams should work to build a relationship of trust so that employees feel empowered and knowledgeable about the tools at their disposal, and have a way to address solutions that are not easily remedied by a tool within an association’s technology portfolio. This goes beyond training to create an ongoing dialogue with employees in your organization.
Instead of seeking out Shadow IT offenders and punishing the actions, provide avenues for employees to flag necessary tools that fall outside of IT’s purview so that they can be evaluated and tracked, instead of creating a continued unknown risk. If IT is aware of tools in use that are not sanctioned by the organization, they can ensure these digital skeletons in the closet don’t come back to haunt you or your association.
Turning Threats to Opportunities
Shadow IT isn’t all doom and gloom. Identifying the use of Shadow IT can have a positive outcome for your association. In fact, it can help organizations reevaluate technology and better prioritize tools and their investments. Are your employees often turning to Dropbox to store and share larger files? Perhaps it’s time to invest in enterprise document storage. Do your employees rely on Google Docs to share information? Microsoft Teams might be a logical next step for secure collaboration or an enterprise agreement with Dropbox or Google might, in fact, be the best fit.
No matter the outcome, training, communications and ongoing dialogue are key to minimizing the risks that Shadow IT can bring and helping associations stay secure in today’s threat landscape.