For employees, using their personal laptop or favorite cloud-based software might seem like an easy, innocent way to get work done faster. 32% of employees use unapproved communication and collaboration tools at work. But this shadow IT activity can pose major risks to your organization — like data loss, compliance risks, and more.
The best way to keep everybody safe is by creating and implementing a shadow IT policy. This policy will outline approved software and explain the consequences of using unapproved systems. Here’s why a shadow IT policy is so important and how to do it right.
The term “shadow IT” refers to any IT systems, software, or applications that are used outside of your organization’s primary IT department. Employees use these systems without the IT team’s knowledge or approval.
Shadow IT encompasses employee hardware like their personal laptop or phone; services that are cloud-based, such as software-as-a-service (SaaS); or off-the-shelf packaged software. These routes are often simpler because team members don’t need to ask approval from IT to use these systems.
If an application like Slack, Dropbox, or Office 365 is approved by your IT department, it’s okay to use. If it’s not approved, however, it is considered shadow IT.
These days, shadow IT is more popular than ever because so many employees are working from home, using their personal devices and whatever software or applications they prefer.
Shadow IT has the potential to be extremely dangerous. If your main IT department doesn’t know about an application, they can’t make sure it’s safe. And the use of certain software (for example, a file sharing software) might leave you vulnerable to data leaks. Shadow IT is a compliance risk, too.
This is why you need a shadow IT policy. A well-written policy will either prohibit or regulate the applications that your employees are most likely already using. This policy ensures your company data will be safe, and your employees will stay compliant.
Your IT team, HR team, and legal team can work together to create a company-wide policy. A shadow IT policy should:
Prohibit or limit shadow IT
Explain how to identify and address shadow IT activity
You can do this by clearly explaining what systems, applications, and software employees are allowed to use in their work. Consider finding out what unapproved software employees are currently using and what purpose they’re using it for so you can suggest alternate options that are safe for work.
Discuss with all departments what steps should be taken if someone is caught in shadow IT activity. You should also make a disaster recovery plan that can go into effect in the event that this shadow activity causes a data breach.
Your goal is to prevent shadow IT entirely (educating employees on the risk can help with this). But if employees still engage in shadow activity, your policy should outline what to do next.