Consumer technology is evolving, and even entry-level workers are technologically literate with cloud-based and collaborative technology. That’s both a boon for small businesses who want to cut costs and a limitation for those who have more demanding compliance and security demand. Shadow IT isn’t something you should be caught in the dark about. 

Here, we’ll discuss what shadow IT is and how it is going to inhibit your compliance and security efforts, which can be a huge drain for small businesses. 

What is Shadow IT?

Shadow IT is an interesting term in that it refers to practices that have been around as long as IT departments have. Shadow IT is functionality managed and implemented outside the knowledge of IT departments.

In older days, shadow IT could be as simple as an employee buying and installing software without the knowledge of IT. In modern times, it refers more accurately to the use of online services, like cloud or SaaS offerings, outside of normal IT channels to perform specific company work. 

In truth, we’ve all at some point used an outside source to accomplish some work. Whether that is Google Docs, Dropbox or some other service, we’ve already gotten comfortable with using these as part of our everyday work. This is because free, consumer software has become ubiquitous and accessible from almost anywhere and provides some of the functionality that used to be the domain of expensive enterprise products. 

Using these tools can actually have a few big advantages for employees and even companies that use them:

• They are often free: This cannot be understated. A full-featured, collaborative software suite like Google Office can essentially replace pricey software like Microsoft Office. It’s also accessible by everybody, so barriers to working together are basically nil.
  
• They lessen the burden on local IT: If your team uses Evernote to take notes for projects, then Evernote support will handle any problems, not your IT team.
  
• Overall costs are less, even for paid versions: Many cloud or SaaS products offer competitive pricing, even more so for bulk products. If an employee pools resources and buys a small business version of a product, you’ve essentially offloaded infrastructure from your business to the provider.
  
• Security is often part of the package: Cloud providers with any reputation provide security features built-in to their products. That means less time IT spends managing security or fielding requests for things like lost passwords.
  

In many cases, employees and management will turn to technology outside of the IT infrastructure simply because it makes their lives easier. Trying to procure and manage these products through IT could essentially mitigate this 

What are the Limitations of Shadow IT?

Having free-range software in your organization can, as can be expected, pose several problems. These include:

• Lack of control: When software is just implemented or used haphazardly throughout your organization, then you essentially have no control over it. If a major breach happens, or that provider changes their terms of service, then you’re faced with potential problems.
  
• Loss of data: If your team relies on cloud services and houses important business data there, then you essentially give up control of that data to the provider. This might seem like a non-issue for smaller businesses until you realize the extent to which your company data can get lost in third-party platforms.
  
• Spaghetti infrastructure: If someone’s using one platform, they are most likely using ten. It’s not unheard of for employees to use multiple cloud providers and products based on who they are collaborating with at a given time. At that point, you’ve got documents and information across multiple systems with no rhyme or reason for their placement.
  
• Slow development and innovation: Without organization and structure, advanced development paradigms like Agile or DevOps are off the table without some serious work. 

While loose software and tools can make individual jobs much easier, it severely limits how your organization can respond to challenges or changes that might help it scale or grow. 

Shadow IT and Compliance

Another challenge, and one that deserves its section, is compliance and security. 

We mentioned earlier that service providers often offer their own security infrastructure to ensure that their services protect customer data. That being said, the security requirements for compliance frameworks in important industries like government and defense, finance, healthcare or retail aren’t satisfied by these security features.

Consider the following problems:

• Third-party compliance: Most frameworks will require that third-party vendors maintain compliance when handling specific kinds of data. The burden of compliance, however, doesn’t necessarily fall on the vendor. If you store sensitive data out of compliance on a public cloud server without notifying that provider about the nature of your business, then the penalty will fall on you, not them.
  
• Business agreements: Following that, HIPAA specifically requires Business Associate Agreements (BAA) as part of compliance. This agreement shows that you and your vendors all meet HIPAA compliance for handling Personal Health Information (PHI). If you are using a cloud to store PHI without securing that cloud or working with a compliant vendor (or doing so without their knowledge) then you are facing steep penalties.
  
• No control over security: You do not have any say, or really much knowledge, about the security controls in place with a provider. So even outside of compliance, you are completely outside the decision-making process when it comes to security.
  
• Reporting and audits: third-party software providers typically don’t provide audits or reports of security events, other than for internal use. Since these are critical to most frameworks, they instantly make it impossible to remain compliant.
  
• Scalability and responsiveness: Part of compliance, especially in security and risk-heavy markets like federal agency work or contracting with defense agencies, is maintaining a scalable infrastructure that can respond to emerging threats. With a third-party cloud outside of your IT infrastructure, this is essentially impossible. 

How to Build IT Strategies In-House with Continuum GRC

Take control of your compliance and security by having a clear picture of your internal infrastructure and nipping shadow IT at the root. 

With Continuum GRC and the ITAMs platform, we automate your compliance and security auditing so that you know exactly where your data is, what your security gaps are and how to assess and manage risk. 

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Want to learn more?