How To Address The Shadow IT Problem by: Mark Bassingthwaighte, Esq. mbass@alpsinsurance.com
What is shadow IT?
A cloud-based case management system or an online backup service are two common examples. When Let me start with a story I heard recently. A law firm firm’s go in this direction, however, the difference is IT had in place a written policy that set forth a list of staff is usually involved in order to make sure this IT is approved services, software and tech devices that could deployed in a secure and responsible way. That’s what’s be used by staff and attorneys. During a network missing with shadow IT. security assessment conducted by an outside vendor, the question “Does anyone at the firm use Dropbox” Why is shadow IT a problem? was asked. The answer was “Absolutely not. Dropbox is not an approved service.” This is when one of the Let’s go back to the above story. The concern over the security consultants informed the firm that over 80 80+ individuals who were using Dropbox was that email addresses of firm attorneys and staff were tied they would fail to take necessary steps to use it in a to individual Dropbox accounts. Such much for firm competent and secure way and that indeed was the case. policies. Missteps would have included things like not enabling two factor authentication, failing to create a unique With this story in mind and for the purposes of this strong password for account access, and not responsibly post, I will define shadow IT as services, software, and using file permission settings to control file access, just hardware that is being used for work by firm staff and/ for starters. or attorneys without the explicit approval of a firm’s IT staff, which means it’s also outside of the control of You now can see how this story exemplifies the shadow IT staff. Please take note of the phrase “without the IT problem. When staff and attorneys at any firm make explicit approval of a firm’s IT staff ” in this definition. unilateral decisions to not abide by a firm’s policies and To be clear, just because a service, software or device procedures and just use any service, software, or device is outside of the control of IT staff doesn’t necessarily they like, unintended consequences can follow. Such mean there’s a problem. Many firms have intentionally decisions might be “justified” by a belief that the rules deployed IT that is outside of the control of their IT staff. don’t apply to them, the rules make no sense or are too
36
