How To Address The Shadow IT Problem
What is shadow IT?
Let me start with a story I heard recently. A law firm had in place a written policy that set forth a list of approved services, software and tech devices that could be used by staff and attorneys. During a network security assessment conducted by an outside vendor, the question “Does anyone at the firm use Dropbox” was asked. The answer was “Absolutely not. Dropbox is not an approved service.” This is when one of the security consultants informed the firm that over 80 email addresses of firm attorneys and staff were tied to individual Dropbox accounts. So much for firm policies.
With this story in mind and for the purposes of this post, I will define shadow IT as services, software, and hardware that is being used for work by firm staff and/or attorneys without the explicit approval of a firm’s IT staff, which means it’s also outside of the control of IT staff. Please take note of the phrase “without the explicit approval of a firm’s IT staff” in this definition. To be clear, just because a service, software or device is outside of the control of IT staff doesn’t necessarily mean there’s a problem. Many firms have intentionally deployed IT that is outside of the control of their IT staff. A cloud-based case management system or an online backup service are two common examples. When firm’s go in this direction, however, the difference is IT staff is usually involved in order to make sure this IT is deployed in a secure and responsible way. That’s what’s missing with shadow IT.
Why is shadow IT a problem?
Let’s go back to the above story. The concern over the 80+ individuals who were using Dropbox was that they would fail to take necessary steps to use it in a competent and secure way and that indeed was the case. Missteps would have included things like not enabling two factor authentication, failing to create a unique strong password for account access, and not responsibly using file permission settings to control file access, just for starters.
You now can see how this story exemplifies the shadow IT problem. When staff and attorneys at any firm make unilateral decisions to not abide by a firm’s policies and procedures and just use any service, software, or device they like, unintended consequences can follow. Such decisions might be “justified” by a belief that the rules don’t apply to them, the rules make no sense or are too difficult to follow, no one can tell them what they can or can’t do with their own devices, or even that doing so made their work easier or more efficient in their minds. Unfortunately, if the unintended consequence turns out to be a network security breach, which is the greatest concern, their reasoning matters not.
Is there a solution to the shadow IT problem?
Truth be told, I believe completely eradicating the problem for any firm is going to be an unattainable goal. That said, the problem can be effectively managed. Before you can responsibly address the problem, however, it’s important to understand that shadow IT is often brought into play because there were tech needs that were unmet, associated risks that were not understood, and/or an apathy about existing policies. In addition, know that trying to simply outright ban shadow IT coupled with some type of punishment for any rule breakers is going to be an effort in futility. Thus, the place to start is in determining what shadow IT is in use throughout your firm. Yes, you may need to declare amnesty, if you will, for a period of time in order to do so, but you can’t solve the shadow IT problem until you know what shadow IT is in use and why.
Once you know what is in use and why, work with your IT staff to determine the risks and benefits of this shadow IT and decide which of this tech makes sense to support and which doesn’t. Next, all staff and attorneys need to be educated as to why certain tech is going to be brought out of the shadows and sanctioned by the firm and why the decision to not support other shadow tech was made. Include in this education an explanation of how to securely use the newly sanctioned tech and detail the security your IT staff has layered on top of what the tech vendor provides. If no shadow IT is to be brought out of the shadows due to security concerns, take whatever time is necessary to find an acceptable tech solution that will meet the needs of those who have been using shadow IT. Again, trying to ban something without providing an acceptable alternative solution accomplishes nothing.
Next, update your internal acceptable use policies as called for and couple this with any training others might need to responsibly use any newly sanctioned tech. And here’s one final idea that can help ensure long-term compliance by all with your firm’s internal policies. Repeat this process perhaps every other year. Better yet, encourage anyone who is thinking about using shadow IT to bring their idea to a firm leader or IT support for review; because sometimes someone has a really good idea that just might improve the efficiency of everyone at the firm. In other words, make it easy to bring shadow IT out of the shadows.
Authored by: Mark Bassingthwaighte Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 550 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.