Coffee with Kampas - Episode 17: What is Shadow IT?

Hi, this is John Kampas, Founder and CEO of EMPIST. On today’s “Coffee with Kampas”, I want to talk to you about the rising risks of shadow IT. “Shadow IT” refers to any technology that is used by staff, but not approved by the company. Using technology that is not explicitly approved poses a great risk to any company, mainly as it pertains to security, documentation, and controls. When technology is approved at the company level, it typically means that IT has some sort of administrative control over it.

This is crucial because that control 00:33 - can be used to audit and protect any information that is associated with that technology. These administrative controls could include authentication, authorization, data leak prevention, backups, and auditing. Some or all of these controls may be missing if you use your own technology in the workplace. The risk of a cyberattack and compliance violations increases significantly when your IT team doesn’t know where your data is stored or who has access to it. You also might not have the knowledge or expertise to properly protect the data.

01:05 - It is estimated that shadow IT accounts for 30% to 40% of technology spend at large enterprises. SaaS and cloud-based products have made it very easy for users to sign up for a trial or monthly subscription and begin using the technology immediately without notifying the company. So what can you do about this? I recommend taking the following steps to mitigate the risk of shadow IT. First, create a company policy outlining acceptable use of technology and systems. Make sure the entire staff is aware of this protocol.

Second, provide adequate 01:38 - technology and systems for your users to conduct their job. If they have the tools they need, they have no reason to look for outside technology. Third, educate your staff of the potential risks of shadow IT. Fourth, establish a process for staff to make recommendations of new technology. And lastly, although this is reactive, review your bank and credit card statement for shadow IT suspects. Typically these will not be large purchases, so they can fly under the radar. Before using new technology in the workplace, make sure you understand the terms of service and data protection policies of that service. You should always seek approval from the company before you purchase the new technology, even if you are just considering a trial. If you don’t, you could be exposing the company to major risks and could be in violation of internal and external policies. If you need any help with identifying and protecting your company against shadow IT, please don’t hesitate to contact me directly. Thank you. .