A Contributed Article by Israel Lifshitz, CEO of Nubo Software

In most businesses, the notion of a "bring your own device" (BYOD) policy has become absurd. People are using personal smartphones and tablets for business regardless of what policy says. You may as well implement a "bring your own brain" and "bring your own body" policy too. BYOD is now a description of what is happening, not a prescription for what companies should permit.

As long as business and IT leaders continue to think that policies can curb risky BYOD, "Shadow IT" will continue. Employees and departments will continue to subscribe to cloud services outside IT's awareness, raising the likelihood of data leaks, cybersecurity breaches and compliance violations. According to Netskope's January 2015 Cloud Report, organizations use an average of 613 cloud apps, 88.1 percent of which aren't enterprise ready. Their researchers estimate that 15 percent of corporate users have had their account compromised, and another 13.5 percent of business-critical apps are at risk. We've seen enough data breaches in the news to know that this danger isn't trivial.

Organizations have to fundamentally change how they regulate mobile devices. The key is turn your employees' indiscretion into an advantage. The apps and services that employees download at will - those are the services that your IT department is failing to provide.

The Consumer Mindset

Your employees are members of a business, but with a smartphone in hand, they will behave like consumers. The iOS and Android ecosystems have taught people that if you need something, download it. The expectation is that digital challenges can all be overcome with the right tool. No scanner at hand? Download a scanning app, link to your Google Drive. No access to your notes and most important documents? Download Evernote. The smartphone is a device of enablement, and Shadow IT is the inevitable byproduct. IT has no hope of changing this consumer mindset, especially if Shadow IT is already underway.

The Investigation

Instead of changing your employees, investigate why they are downloading these apps and using them to handle enterprise data. Do you offer an equivalent service, or not? If you do, why don't employees use it? Among the shadow apps that employees do use, which are true threats? Which are relatively harmless?

This investigation must involve interviews or discussions with employees. Buy them lunch if you have to, and then listen. In essence, your non-IT coworkers are your customers, and if you can't meet their needs, what's the point of IT?

The Comeback

It's fair to say that IT is behind in the shadow game, and a comeback must be orchestrated. Once you know what apps employees are using and why, it's time to go after the offenders in order of risk. So let's say that the sales department is using a cloud storage service you've never even heard of to store financial records. It's some obscure, free service that a Millennial dug up, and it's not designed for enterprise use.

The first step is to talk with the department - explain that they're using an app that could jeopardize the information security and compliance obligations of the entire company (this is where people skills come in). Then, sell them on the better, safer solution you have identified, and offer to have it up and running ASAP. Over-deliver: implement quickly, train people and make sure the launch is a giant success. Continue repeating this process.       

Preventative Measures

As you start cleaning out shadow IT - basically by providing outstanding service - you have to take measures to prevent future activity. HR can be your best partner in this endeavor. When employees are new at a company, they are impressionable - and they want to prove themselves. However, most new recruits never have a face-to-face encounter with IT. Someone emails login credentials and a link to the self-service portal, and that's about it.

So instead, ask HR for a chance to meet with new recruits. Use this opportunity to market your services. Illustrate why downloading and using random apps for business is a huge risk to the company's information security, reputation and legal obligations. Ask that these recruits come to you instead of just downloading apps. Be sincere in your offer, otherwise they will exacerbate your shadow IT problem.

This process will sound unrealistic to people who think about what IT has been instead of what it could be. IT has to evolve from the gatekeeper into a pillar of business growth and enablement. Shadow IT is not a user problem - it reflects a weakness in the culture of IT. Employees in marketing, sales, finance, etc. aren't trying to cause trouble - they're trying to do their job effectively, and they resort to Shadow IT when they lack the right tools and don't expect to get help from IT.

Change the culture of your IT department. Change the mindset of your users. Turn the current shadow IT into an advantage, and begin to eliminate this risk from your organization.  

##

About the Author