How Unapproved Software & Devices Increase Your Costs, Jeopardize Your Data Security, and What You Can Do About It

A PlanetMagpie customer recently received a bill from their ISP.  They were surprised to learn they’d gone over their bandwidth limit.  The bill was almost $10,000 higher than usual.  They thought it was a fluke.  It wasn’t.  The next month’s bill was $17,000 higher than usual!

The cause?  Shadow IT from employee devices.  This month and next, WOOF! will delve into the murky depths of Shadow IT.  What it is, how it creeps into your business, what it can cost you, and most importantly, how to stop it.

What is Shadow IT?

“Shadow IT” is a label for unsanctioned employee bandwidth use and IT solution deployment outside of the IT department’s control.  The unsanctioned bandwidth gets used by:

• BYOD. Employees bringing unapproved devices into the office with or without the business’ knowledge.
• Rogue Apps. An app the employee wants to use for a business purpose, but the business hasn’t approved. For instance, using their consumer Skype account to talk with customers because they have (consumer) Skype too.
• Personal Apps & Sites. These are non-business-related apps & websites that employees like to visit, even when at work.  Examples include Facebook, YouTube, Snapchat, WhatsApp, & games like Candy Crush and Pokémon Go.
• Ex-Employees.  Some companies have weak inventory control policies.  Employees are allowed to leave their employment with company laptops/tablets that are still connected to the company’s internet provider. 

By deploying unsanctioned IT solutions within the company, IT professionals can’t vet them for safety. The rogue apps & personal apps/sites then become targets for cybercriminals. In March, Skype (consumer) users encountered in-app ads containing a ransomware trigger, disguised as a Flash update.

If your employee had installed Skype to chat with friends, and clicked this “update?” The ransomware gets into your network, locking up computers, even stealing data.

How Shadow IT Creeps into Businesses

In the Digitalist article “2016: The State of Shadow IT,” managing the costs incurred by Shadow IT accounted for 35% of total IT expenditures in 2016.  It’s a serious issue, especially since it creeps into your business, under the radar.

Once our customer found out about their Shadow IT, we conducted a network-wide audit and found the unapproved activity.  Over the past year, the employees had:

• Installed personal apps on company computers (e.g., personal Dropbox accounts)
• Brought devices from home and used them on the company Wi-Fi
• Frequented social media
• Played online games
• Visited non-work websites multiple times daily
• Did not return company hardware when they left their employment

This is why we describe Shadow IT as “creeping in.”  Employees bring Shadow IT into the office with them.  Why?  Some feel their existing IT tools are limited, and that wading through the “corporate bureaucracy” to approve new tools will take too long.  It’s much simpler to grab a tablet from home.

Others just want to play around online instead of working.

The problem comes when employees find out they CAN install new apps, and visit whatever sites they want, on work computers.  The network doesn’t stop them either.

Why not?  In most cases, it happens because the security measures which could stop the practice are not inforce.  Three such absences which let in Shadow IT are:

1. No control over Internet access.  All employees had full 4G Internet access on their mobile devices, with no restrictions on which sites they could visit, or which apps they could install & use.
2. BYOD Tablets.  This customer issued iPads to many of its employees.  Some employees brought their own personal iPads into work.  Since they looked the same, no one questioned what those employees did on them.
3. File Storage standards not followed.  The business DOES have an approved & secure file sharing platform available for employee use.  However, employees would use other platforms to store & share files, such as Dropbox.

Shadow IT isn’t Typically Malicious. But It Damages Businesses Anyway.

It’s important to note that Shadow IT isn’t usually a malicious activity.  Quoting a GlobalScape 2016 white paper:

“When an employee’s action puts information at risk or compromises compliance, more often than not, there is no malicious intent.  Rather, it’s a case of employees doing everything possible to remain productive, and losing sight of security and compliance in the process.”

Even so, Shadow IT poses a very expensive danger to just about every business. That’s how our customer found out about their Shadow IT—two Internet bills totaling $27,000!

In Part 2, we’ll cover the 3 ways Shadow IT can disrupt your business, and how to stop it before it does.

Have a question about Shadow IT?  Email us at woof@planetmagpie.com and we’ll address it in the WOOF! Shadow IT Series.