As the business environment and challenges are always changing, new cloud applications are constantly being deployed throughout the organization. Speed and flexibility are the main reason for employees to use them without being sanctioned by IT departments, which find themselves in a constant battle to keep confidential file transfers under control and stop sensitive data from getting into the wrong hands.
Slack is a messaging app used for workstream collaboration in companies, but it has also become popular among freelancers and other independent professionals who need to communicate with different collaborators. In fact, it’s revolutionizing the way teams work by bringing messages from people together with notifications from the tools they may use at work, creating a unified archive of information accessible through powerful search. The adoption rate is great, with 3 million users in less than a year, and the user engagement even greater. You can find more stats about Slack here.
So far everything sounds great. But, there’s a catch. Slack is basically a new app that facilitates sensitive data sharing, among data used for tasks. Employees don’t understand the risks they take using this kind of cloud applications: a recent study shows that 13% of employees in Germany, UK, and France admit storing company data on cloud applications on their personal devices and taking it to the new employer, which is illegal. With Slack, like with other similar apps, even if users’ intentions are good and in favor of the organization in terms of productivity, possibility of easily uploading sensitive files and posting them on different channels leaves room for mistakes. If not reported to the IT department, Slack becomes part of the so-called ‘shadow IT’ concept, due to the fact that it is not approved and controlled by IT, remaining in the dark when it comes to the data flow.
There are both positive and negative consequences derived from the use of Slack as part of shadow IT.
|Increased employees’ productivity
Easier workstream collaboration
Flexibility of working with the desired app
|Risk of data loss and other data security vulnerabilities
Some companies chose to ignore the shadow IT benefits and simply ban the use of certain apps or tools and others, on the opposite side, ignore it, seeing the advantages, but hoping that the negative aspects will not come to surface. The best alternative to cope with shadow IT or better said, to take advantage of the benefits, in this case, Slack’s use benefits, but address the risks, is to take the middle way. IT Managers should have a fresh start concerning the policy for the use of apps, devices, and other tools and should communicate in a transparent way with all personnel or, if that’s too idealistic, with business units managers. They should find out what their needs are, why and how is Slack being used and if it would have a positive impact on other departments as well. Next, they should take that information into consideration when building the policies and drafting the IT security and infrastructure guidelines. To be fair, department managers should also listen to IT department’s proposals for apps and devices to be used, and understand that there are limitations, like licensing or resources that force them to sanction certain applications and devices. If Slack is a predominant app, then it should be properly evaluated by IT and if integrations with other internal tools are possible, then why not enhance its benefits even more, just like this company did.
To sum up, here are a few ways to have a clean slate with the approach of shadow IT or better yet, to minimize the existence of shadow IT in your company and make the best out of apps like Slack:
- Start a short research surveying your colleagues about their preferred applications, devices, and other tools for their work; you will be amazed on what you find out and it will surely make your work easier.
- White list the less risky apps so employees can use them, but make sure to complement their use with data security solutions.
One of the reasons IT departments react drastically to the wave of cloud apps or to shadow devices is because they are not aware that there are solutions to make peace between users’ desires and their technological, budgetary, security and other factors they need to consider. Solutions like encryption for cloud storage, which is basically an encrypted container where users can store sensitive data is an additional security layer, besides the built-in security features or Data Loss Prevention which prevents employees from uploading, copy/pasting confidential data on the cloud and transferring it to portable storage devices are a big help in minimizing shadow IT risks. DLP can easily block and alert Slack users if confidential data is about to be shared.
- Embrace agile principles and methodologies. If it works for IT development, why wouldn’t it work for other IT areas; actually it was proven to be successful in other domains as well, like marketing or business development. So, building a sound policy to deal with shadow IT can be done in short iterations, with focus on workstream collaboration and flexibility, ensuring both organization’s and employees’ needs are met.
Regardless if it’s Slack, Dropbox, Facebook, Skype, personal USB sticks or other applications and devices, their use without the knowledge and control of the IT department falls under shadow IT. And regardless if your course of action is to ignore it or cope with it, there is one simple thing to remember: users resort to circumvention of IT department’s policies only if they cannot find a simpler way to do their job and that’s where IT departments can recover control.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.