How to Build a Shadow IT Policy Your Employees Will Buy Into

While large cyberattacks and data breaches make the news, small businesses are increasingly the most vulnerable. One reason? Cybercriminals target small businesses precisely because they're often less secure than larger organizations.

More and more, small businesses are also seen as the avenue into larger companies' networks, so even if it's not your information they're after, your business is still a risk. 

How large of a risk? 60% of all cyberattacks are on SMBs. And when they happen, they are disruptive, expensive, and can damage your relationships with customers and vendors.

They’re also avoidable.

One crucial area of focus for reducing your security is Shadow IT - the unknown use of unauthorized and un-vetted technology at your business. What's unknown can't be managed or secured, which is one of the main reasons Shadow IT is such a risk for small- and mid-sized businesses. Without proper vetting, Shadow IT leaves your business open to risks that can compromise your data privacy, security, and integrity. 

Employees are the Key to Resolving Shadow IT 

Shadow IT starts and ends with your employees. Defined as the use of any technology outside of IT's ownership or control, Shadow IT usually evolves out of your employees' best intentions. Most often, they're simply trying to find solutions for how to accomplish their jobs efficiently. Or they may also be working with a partner or vendor who invites them to use a technology tool for collaboration and file-sharing and doesn't think anything about it. In fact, because tech tools, devices, and especially SaaS apps are so omnipresent in our lives now, it doesn't feel like a big deal to sign up for something new. And because remote work has also exploded in the past few years, and cloud-based SaaS tools make collaboration so seamless and easy, Shadow IT has exploded in growth too. 

So when it comes to resolving Shadow IT and managing your business's tech use more effectively, your employees and their needs must be at the heart of how you move forward. Without empathy and without educating them, you ultimately won't see employee buy-in on any new changes or policies— meaning you'll still continue to see risk. 

Take a Look at IT's Role in Shadow IT 

It's important not only to handle this issue with generosity towards your employees but also to take a look at IT's own role in Shadow IT. Is IT a bottleneck, and slow to review and approve technology needs? Or is IT unwilling to listen to employees' perspectives and needs because of a preference for or even simply a comfort level with other tools or vendors?  

A lack of synchronicity between IT and employees can lead to Shadow IT; employees who are dissatisfied with the current tools may seek alternatives on their own quietly.  

So the first thing to do when you sit down to perform Shadow IT discovery and write a new policy is to be honest and reflective about the areas where IT could improve. Writing new rules alone won't solve an issue that is at its core about how your business is using technology to meet the needs your employees have so they can best meet company goals. 

Involve Employees Input in Discovery and Policy Creation 

Involve Employees Input in Discovery and Policy Creation 

The first step for any Shadow IT management is discovery: to understand the issues, you first have to bring everything together out in the open. This includes discovering what devices and applications are in use, how much they're being used, and how this compares to the current IT-approved technology.  

Involve employees, making sure to solicit their input about why they chose these technologies, how they're using them, and how they help them in their jobs.  

You can then combine this with quantitative analysis, extracted through technology, to build a picture of what to keep, what to decommission, and where to right-size features and licenses. 

What to Include in Your Shadow IT Policy 

Building a Shadow IT policy is no small feat, and it will ultimately take the cooperation of the entire organization. Security includes policies around file sharing, data storage, and network use, but also includes policies around people, like processes for on- and off-boarding employees. If you don't currently have a process for removing outgoing employees from devices and software licenses, for example, this represents a major area of risk for your information security. 

  • HR: This section of your policy should be written with HR, and address areas like how to manage employees who are in violation of your Shadow IT policy. 

  • IT Operational Processes: Your policy should include IT processes for ongoing Shadow IT discovery, disaster recovery processes, and issue resolution—what process IT will follow in the case of a data or security breach. 

  • Tech Operational Processes: You'll also want to address the processes for how IT audits and approves new technology options, how to dismantle Shadow IT where necessary, and proactive processes for how you'll manage license renewals. 

  • Financial Processes: IT should work with Accounting to review the financial implications of Shadow IT, as well as potential areas for noncompliance or insurance issues. 

  • Security Processes: Security is one of the main reasons to embark on Shadow IT discovery, so you'll want to take the time to really think this area through. Set up policies and procedures for everything from what to do in the case of physical breaches as a result of Shadow IT use, how to repair and reactivate data server activities, theft or damage, etc. Create a security checklist to guide how IT will audit and evaluate any technology’s security. 

  • PR and Communications: You'll want to work with your Marketing, PR, and/or Communications department to ensure that they're ready to address the media, company, and any affected partners or customers in the case of a security event. 

  • Education: And finally, you want to ensure that employee education around Shadow IT and security is ongoing. The best way to do so is to set up a section of your Shadow IT policy that lays out a process and schedule for continuous employee education. This includes education around the risks of Shadow IT, your new policy, what technology is approved and why, how to identify phishing, ransomware, and virus attacks, and any other relevant topics. 

In fact, one of the best methods we recommend for managing Shadow IT with your employees is a "freedom within limits" policy. Once you understand the needs driving Shadow IT use at your company, and IT has audited each technology, you can build a catalog of pre-vetted options for employees to choose from. At every step of the way, consider and communicate the context and the reasons behind each IT decision. When employees feel valued, considered, and that their needs are addressed, they'll be far more likely to buy into your new Shadow IT policy. While it's true Shadow IT wouldn't exist without employees, it's also true that it won't be resolved without them.  

Optimized and Secure in 1,2,3 

The risks of Shadow IT and SaaS sprawl include data protection and loss, expanded attack surfaces, and yep, increased costs. 

Shadow IT grows out of a lack of knowledge on both employees' and IT's part. The good news is, it's also illuminating, shining a light on the needs employees have and the tools they value. The best approaches to reduce shadow IT risk take this into consideration, establishing policies that both protect and empower, while bringing employees along through education so they view them less as restrictive, and more as protective of the team and organization as a whole. 

Fortunately, you can also take control of it and reduce it by following a three-pronged approach: technology, employee education, and policy. In our Guide How to Reduce the Risks of Shadow IT, we'll walk you through exactly how to discover Shadow IT in your business and take control of it. 

How to Reduce the Risks of Shadow IT; download the Guide

Tags: ,