Shadow IT

The use of IT systems, software, or services without explicit approval or knowledge of the organization's IT department. In other words, employees using their own chosen apps or cloud services for work, outside the sanctioned or vetted tools. Examples of shadow IT could be an employee using a personal Dropbox or Google Drive to share work files because it's convenient, or a team adopting a new project management SaaS on their own.

‍

Shadow IT often arises from good intentions (people just want to get their job done with whatever tool works best), but it poses security risks: company data might end up in places that aren't monitored or secured by the company, those services might not meet security or compliance standards, and IT can't protect what it doesn't know exists.

‍

For SMBs, shadow IT is common because strict IT controls are usually looser - everyone has authority to get what they need. The best approach is to discover and then secure or integrate shadow IT rather than just ban it. BrightShield's cloud posture scanning is an example of a tool to find connected apps or services in use.

‍

Educating your staff that IT isn't there to say no, but to help use tools safely, can encourage people to come forward about new apps they find useful. Once identified, you can assess risk: maybe that personal Dropbox use should be replaced by an official company account with proper sharing controls, or that unapproved chat app is disallowed because it's not encrypted.

‍

Ultimately, managing shadow IT is about balancing empowerment and security - give users easy, approved solutions so they're not tempted to go rogue, and keep visibility on network traffic and app usage so unseen risks are brought to light.