Starting a Shadow IT Policy

Shadow IT has been a much-debated topic in the last few years. Is it a good thing that encourages employee innovation and increases production? Or is it a practice that rips company security policies to shreds, revealing every vulnerability? If you’re facing these questions, it’s probably time to craft a Shadow IT policy.

Turns out it’s a little of both. Employees want to use the tools, programs and apps that make their jobs easier. They’re typically not setting out to harm their company by using unauthorized apps — it’s that the consumer-grade tools they use outside of work are more current and simpler to use than company tools.

They may not even realize that practices that seem natural to them, for instance, sending home a document to work on to a personal email account, are what harms a company. Or that finding somewhere “portable” to put a file, whether it be a Dropbox account or a flash drive, is just about the unsafest thing one can do with a file.

The Shadow IT trend is a mixed bag, but you can give your employees what they want (better tools) while still ensuring that you are in full control of security. So go ahead and embrace it, as long as you put some policies in place first. Keep reading to figure out the first steps you need to take to craft a Shadow IT policy.

Ask Why

The first step is not as much a Shadow IT policy as it is an exercise in introspection. Ask yourself why your employees are going outside of your current company policies to use tools that you don’t approve of?

Then go ahead and ask the employees why they’re using different tools or methods than the ones provided. You can do by having one-on-ones or by sending out a survey. If it’s a tool they don’t like, find better alternatives. You may even find that adopting tools company-wide will be even more beneficial in time and money.

Make IT Transparency A Shadow IT Policy

We’re all on the same team, but let’s just say there can occasionally be some tension between the IT department and users in other departments. No need to place blame here, but employees do need to feel comfortable discussing their technology needs with their IT department.

And IT departments need an understanding from the higher ups that product approval processes need to be drastically sped up. The department needs flexibility but also time and manpower to investigate the tools employees are losing.

If the IT department is transparent about why a tool won’t work (i.e., it has security flaws), it can increase employees’ understanding of why they can’t use certain tools. Having a higher level of transparency can help pull Shadow IT behavior out of the dark, while also not stepping on the innovation and productivity of employees.

Start Having Frequent Security Training Sessions

Okay, you can’t cover every security threat out there or you’d have no time for anything else. IT is used to having to keep up with threats, but employees are not. It’s not part of their job so it may not be something they pay attention to.

You can enlighten everyone on latest security threats, procedures and policies by having a quarterly security meeting that briefs employees on what behavior to avoid. It can be during a lunch-and-learn or a seminar. Employee attendance must be mandatory and should be enforced by managers. Make sure to provide accompanying infographics or guides as a refresher.

If you can’t do it every quarter, you should at least be doing it once a year.

Find An Auditing Tool and Audit Activity Regularly

It seems like a logical step in keeping information secure, but many companies don’t conduct audits. The 2015 Ponemon Institute study found that 65% of IT managers surveyed said that their businesses did not conduct audits to find out if their document and file sharing activities were in compliance with laws and regulations in the last 24 months. It is surprising, especially with the Shadow IT behavior companies know is happening.

One of the reasons most don’t conduct audits is because they are time-consuming and tedious. However, there are tools out there that streamline the process. Tools like FileHub™ call attention to the data that matters, instead of forcing admins to search through page after page of file log data.

How does FileHub™ do it? First, FileHub™ assigns each file a fingerprint, tracking that file’s name, metadata, users, activity and keywords across the entire life of the file. Second, the FileHub™ dashboard contains a file timeline that helps interpret the lifecycle of the file. By incorporating multitudes of information into a data visualization, it becomes easier to identify outliers and anomalous behavior. This makes executing the Shadow IT policy significantly easier.

Get Internal Threats in Check with a Shadow IT Policyk

Try implementing each of these suggestions in order to start your own Shadow IT policy in your office and see if you can start curbing the culture of Shadow IT. Once you’ve got Shadow IT policies in place, try out a file fingerprinting, tracking and tracing tool like FileHub™ to keep your sensitive information safe going forward.

Learn More About FileHub™

Get insight into answering the tough questions about how your employees use their files to help you investigate incidents or breaches, spot trends or help thwart employee data loss.
About the author

I am the Content Marketer at SmartFile, which means I get to learn everything and write about it -- my two favorite things. I firmly believe that oatmeal cookies should contain chocolate chips, not raisins.

Leave a Reply