Imagine the following situation. You’re working with an agency that is helping you create a collection of brochures that you’ll be bringing to a tradeshow. The printer needs the files tomorrow but the link you’ve given the agency to your secured upload area isn’t working. The designer suggests that you download an application that makes it easier to share large files. Because of the pressure from management, you download the app because you absolutely must meet that print deadline.

Sound familiar? If this situation isn’t difficult to imagine it’s because it happens all the time at companies everywhere. Although most people would rarely admit to sidestepping their corporate IT department and installing malware, they do. Statistically 82% of breaches involve a human element. Mistakes such as downloading risky software, clicking phishing links, or simple human error play a major role in cybersecurity incidents and breaches.

The tricky thing is that many times, nothing happens when employees go rogue. The software that you used to share those brochures is legitimate, your vendor prints the collateral, you don’t introduce new risks, and nothing changes. No worries.

But other times, employees aren’t so lucky. Termed shadow IT, any hardware or software that is not supported by the corporate IT department can pose a security risk.

All it takes is one software download filled with malware or accessing one SaaS app with poor cloud security to infect critical systems. However, even with these ever-present opportunities for risk, most organizations don’t take shadow IT into account when they develop their security strategies.

Managing the risks of shadow IT

To mitigate risk, it’s important to think about why employees resort to shadow IT in the first place. Shadow IT most often fills gaps that IT-approved hardware or software don’t address or don’t do particularly well. Or sometimes people resort to ad hoc solutions because getting anything approved takes so long that they don’t bother. From an employee’s standpoint, it’s a lot easier to just load some software and avoid getting yelled at for missing a deadline than it is to wrangle with red tape or argue with IT about procurement and budgets.

If employees are compelled to find their own solutions to IT problems, it indicates a larger issue than any individual shadow IT app or resource. Instead, it’s indicative of communication breakdowns between the IT department and other teams within the organization.

The IT department shouldn’t be the enemy. Managers should investigate bottlenecks and encourage communication between IT departments and users. At the executive level, educating users on the risks associated with shadow IT also needs to be a priority. For users, acquiring the tools to do their jobs should be seamless so they don’t feel compelled to find workarounds. Always remember the adage: the best security is the one people will use. Technology changes quickly and organizations also should establish procedures to streamline the process of doing security reviews and provisioning new technology solutions quickly.

Take advantage of identity and access governance solutions

Understanding who has access to what is critical, so organizations need to ensure that they have governance in place. Security starts with identity, and with modern authentication and passwordless options, proving you are who you say you are should be hassle-free. Identity solutions should center around best-in-class security practices such as FIDO2 standards, risk-based authentication, and intelligent real-time insights that continuously mitigate risk.

Completing routine access requests should not always require IT involvement, and self-service capabilities and single sign-on empower users to work without disruption. On the IT side, administrators also need seamless solutions that include identity governance and administration tools.

Our Governance & Lifecycle data access governance architecture provides enterprise-wide visibility so you can tell who owns enterprise data, who has access to data resources, how they got access, and whether they should have access across file shares. The automated certification process generates actionable reviews that are simple, intuitive and effective for business users to provide evidence for audit teams.

Security is everyone’s business

Not all threats are external and IT teams need to find new ways to ensure they are securing access and ensuring compliance while continuing to support the technology needs of users. By streamlining IT operations, educating users, and embracing identity and access governance, organizations can reduce the risks of shadow IT.