Shadow IT: Assess it, don't just shut it down, say CIOs

A panel of experts at a recent Computing event explain that shadow IT can help the business, once the security risks have been assessed

Shadow IT, where staff find and consume IT services without corporate approval, shouldn't simply be shut down once discovered.

That's the opinion of a panel of experts speaking at a recent Computing event on cloud security.

Steve Williamson, director, IT governance, risk & compliance at pharmaceutical firm GSK said that staff usually have a solid business reason for consuming unsanctioned services.

"Normally we see there's a legitimate business reason for whatever people are doing," argued Williamson. "It could be a collaborative research project and be a special case for using an unknown app. If there's a sanctioned tool [that could be used in its stead] we'll point them towards it, but if there's a genuine need, we'll do an assessment."

That assessment begins with examining the value of the data being handed over to the shadow IT service in question, he explained.

"If it's corporate IP, we'll go a bit deeper. But if it's just admin or workflow stuff, there'll be less rigour, but there'll still be an assessment. We won't just shut it down straightaway unless there's a genuine security risk. All organisations have staff using consumer cloud applications for business pruposes. We've had examples where we've seen something we haven't assessed yet, but I haven't seen anything yet I'd really classify as dodgy," he added.

Terry Willis, Head of Information Systems at Age UK said that he used to work for a large media firm, who received a cease and desist order from Sony because someone was using the corporate network to download films illegally.

"We found out who it was and dealt with it. It's about education so people understand what's allowed in their role. All our data is encrypted. We have a corporate Box account, and a specified lifetime for our data, so it expires after a time. Everything else is weeded out by the firewall, and we're also weeding out Dropbox use," he explained.

Nico Fischbach, CTO Cloud at Forcepoint said that organisations used to try to separate personal and professional data and devices, but that's no longer possible, partly because of the increased use of smartphones.

"You have stronger control on desktop, but the phone is the vehicle used as a data transfer point between those various applications you shouldn't be moving things between. How do you view the mobile phone? Do you want to enforce policies there, or do it more centrally in cloud, rather than bloating the phone with EMM?"

Earlier in the discussion, the panel debated different strategies for assessing and mitigating risks in the cloud.