Shadow IT: Choose Insight Before Technology

Posted on 1 April 2019

This week, our very own Amy Stokes-Waters addresses shadow IT, and the importance of glancing the bigger picture to root out the cause.

Amy: This week, I’d like to discuss Shadow IT – but first of all, here’s a lesson in how to sell a Microsoft cyber security solution for my readers…

When a Microsoft partner starts talking about addressing Shadow IT – the hidden cache of unauthorised apps employees use under the IT department’s radar – they’ll often cite tools like Microsoft Cloud App Security (MCAS) as the first port of call. My advice if they do? Sack them. Kick them out the door. Say, “No thank you!” And get your receptionist to say you’re in meetings from now until 2046.

Why? Because they’re already missing the bigger picture.

Although MCAS is a useful tool, it’s only one piece of a much wider puzzle – and it’s not even the most important piece at that. If you’re bringing technology to the table as your opener, then it’s a ‘no’ from me. We’ll come back to this later on, but before that we need to look at why you’re experiencing problems before we can address them with any one solution.

Striking a Balance

One of the first things you learn in Microsoft Sales 101 is to talk to your customers about the balance between productivity and security. The reason for this? Because it’s bloody important.

Now, I like to throw in a third dimension and make it a triangle that we’re trying to balance; that third element is cost. We all know we need to factor in budget; we can recommend the most secure solution in the world which enables the greatest user productivity ever, but if it’s costing upwards of £250,000 then we could be pricing ourselves out of a deal.

Hands up if you’ve ever used a personal Dropbox or iCloud to store a work document… Come on now, don’t be shy!

In organisations where Shadow IT is rife, users are choosing their own document storage solutions, calling clients on unsanctioned meeting apps, and sometimes even sending corporate emails from personal Gmail accounts. When we look at the causes behind a Shadow IT presence, 99% of the time it’s because there’s an imbalance in the productivity, security and cost triangle. Fundamentally, this isn’t just a Shadow IT problem: it’s an overall security management problem, which can be easily addressed when you know how.

Shining a Light on Shadow IT

To tackle Shadow IT and wider security management issues, we firstly need to look at why employees are opting to use unsanctioned apps. In my experience, 99% of the time, it’s because the apps you’d prefer them to use are not available. Why is that? Because of concerns about the security of these apps outside of the safe haven of head office.

In their enthusiasm for digital transformation and remote working, organisations have put too much emphasis on security, leaving end users unable to complete the tasks they need to complete on a daily basis. Much like water, end users will react by finding the path of least resistance; if they’re not given the tools they need to be productive, they’ll simply go and find their own.

This is where Shadow IT usage really starts to escalate. Document storage may be locked down to a local drive, but guess what? Users will upload those documents to Dropbox so they can work on them from home. Why? Because it’s easier – the path of least resistance. So you think you’re improving security by locking down your data, but in actual fact you’re leaving the organisation open to greater risks by forcing users down the route of unsanctioned application use.

In short, digital transformation projects have a lot to answer for!

Now for the Product Talk…

Whilst we can leverage the functionality in MCAS to give us a clear picture of the shadow IT usage within an organisation – and we can even use it to block unsanctioned apps – we can actually make our lives a lot easier by using tools readily available to us in other parts of the EM+S suite.

We can use Microsoft Intune to protect our corporate devices. The perimeter we’re securing in terms of technology is ever-moving, thanks to our end users and their changing devices, however we can roll out the apps we want our employees to use and pre-configure our devices with the right profiles easily using Intune and AutoPilot. We can then protect the data in our corporate applications by restricting copy and paste functionality between corporate and personal apps. And when we lose sight of our perimeter when a device is lost or stolen? We can selectively wipe that device to make sure data doesn’t get into the wrong hands.

If your users are storing documents in Dropbox, well that’s a shame, because OneDrive for Business is a million times better (100% factual opinion) and we can protect those documents wherever they go using Azure Information Protection. Classification of documents is quick and easy. Have an internal document you want to stay within your organisation? No problem. Internally classified documents are encrypted and cannot be sent outside of your company. Even documents we send to users not within our own company can be tracked. Using the AIP portal, we can see who has accessed a document, when it was accessed and we can manage permissions, even revoking access for certain people.

The Cloud App Security tool sits alongside the other functionality available in the EM+S suite to let us monitor Shadow IT usage, pinpoint specific instances of bulk data transfers, and identify where users are logging in from dodgy IP addresses, but when the capabilities are truly leveraged into a security solution, that’s where the magic happens!

In short, with the right solutions and tools we can truly allow our users to remain productive and secure, whilst banishing Shadow IT – but only if we acknowledge the wider causes around the usage of unsanctioned apps within organisations. Do that, and everybody’s a winner.

In need of assistance when tackling the Shadow IT in your organisation? We can help. Get in touch to talk to a member of our team and let’s cast a light on the issue, together.
A few people we've already done it for