How to Handle the Risks of Your Company’s Shadow IT
Hardware, software or services that enter the company network, uncontrolled and without the knowledge of the IT department, belong to the so-called shadow IT. This decentralization of IT is often attributed to factors such as:
- The flexible accessibility and use of cloud-based software purchased by the different departments
- The increase in BYOD: the use of mobile devices by employees on the road or at home, and private devices that can be used for business purposes make it easier to bring unauthorized software into the company network
- Applications that do not require installation rights, such as portable apps, browser plug-ins, and internet downloads
Employees are not necessarily acting maliciously when using unauthorized software, but they often expose their employer to massive risks due to their lack of expertise and improper handling. This can lead to very high penalties due to compliance violations and massive security risks for the corporate network. In addition, the IT Manager or CIO is losing more and more control over IT costs and security.
Many IT leaders may suspect that shadow IT exists in their companies. However, they often have no way to find out which unknown software products are on the network and what consequences will be.
The good news is that by taking the following three steps, you can get a handle on shadow IT and save your company from dire consequences.
Step 1: Get to Know the Unknown
The first step is to create a complete overview of all software installations in the enterprise network. All PCs, servers, as well as mobile devices such as mobile phones, notebooks and tablets must first be inventoried and the installed software products has to be identified.
The data then has to be enriched with more information which is necessary for the data analysis. In order to detect unknown and risky software, the license type (e.g. freeware, free for non-commercial use, license required, etc.) and information about the program functionalities (portable app, peer to peer network, open source, etc.) can be useful indicators.
Next, you need to filter your data to get an overview of the unapproved software products in your network and to prioritize which of these products need to be handled first.
- Use an automated inventory solution, which gathers raw data to guarantee a complete and high-quality recording of the software environment
- Automated software identification based on raw data and the data enrichment through intelligent methods guarantees a high quality basis for the data analysis and avoids the massive manual effort of processing the raw data, which often consists of thousands of data sets.
Step 2: Recognize the Danger
Your next step is to filter your software portfolio by various criteria for a deeper analysis. One approach could be to analyze the individual license types, such as software free for non-commercial use. You’ll immediately be able to see the software that’s being used for business purposes (though not allowed), which can cause a compliance risk.
If you filter your software by the license type “Freeware,” you’ll have to look more closely into its licensing terms to see whether the use of the software in the company is legal.
Also, filtering and analysis of functionalities can help to identify unauthorized software. Are there peer-to-peer applications, open source software and online services such as Dropbox or suspicious games in your network? It is very likely that these programs did not enter your company through official channels. By filtering in this way, you can easily identify compliance risks and IT security threats.
By combining several different data analysis methods, you will gradually shed more light on the shadow IT, and be able to better assess and control your existing risks.
Step 3: Set up Rescue Measures
The findings from your previous data analyses form the basis for defining and implementing rescue measures, such as:
- Purchasing of all missing licenses to ensure compliance
- Adjusting employee rights (Group Policies) to prevent shadow IT
- Informing employees about the misconduct and explaining the risks they cause for the company
- Providing written warnings for the employee by HR in the case of serious breaches
- Creating automated processes that regularly inform you of unauthorized software installations so you can better manage shadow IT in the future
Of course, you could now begin to set up tougher regulations and further restrict the employees’ rights for their devices. But restrictions alone will not limit the problem of shadow IT. As long as employees don’t understand the risks of their actions, they’ll will always find a way to use the software they think they need to accomplish their tasks faster and better.
For this reason, shadow IT data should be regularly analyzed to understand the needs of your employees and adjust your software portfolio accordingly. This reduces the risk of applications running behind the IT department.
Additionally, the IT department should be open to the needs of the employees and react quickly and flexibly on requests so that projects can be implemented quickly. When communicating policies and rejecting software requests, employees should understand the reason why. This is the only way IT Managers can control shadow IT in the long term.
Do You Want to Save Your Company from the Risks of Shadow IT?
Learn in a 30 day trial of COMPAREX Portfolio Management Platform more about how to regain control of the software landscape.
Fill out the form below for any questions about our managed service for Software Portfolio Management.