Five measures against mobile shadow IT
Mobile shadow IT has become a challenge for enterprise IT: Employees are using unapproved devices and apps with little concern for legal, security or compliance regulations. Virtual Solution shows what companies can do to combat the proliferation of mobile shadow IT.
The Shadow IT has always been a problem for companies: While it used to be mainly personal Excel sheets or databases that formed a largely uncontrolled and unauthorized IT structure, it is now more and more about mobile systems and applications. Smartphones and tablets are used by employees bypassing corporate IT regulations. They use apps like WhatsApp and Evernote or file shares like Dropbox or Google Drive for their professional tasks as well.
Such uncontrolled systems pose legal challenges for companies, not least because compliance with regulations on data protection, copyright protection or retention obligations is in no way ensured. In addition, they pose a constant threat to IT security because attackers could gain easy access to corporate IT via inadequately secured mobile applications.
Virtual Solution clarifies what companies can do to combat mobile shadow IT:
- Inform employeesThe carelessness of employees when using smartphones and tablets is often due to a lack of knowledge, for example with regard to legal implications; only when employees are fully informed about the problems associated with the use of unauthorized apps can they be expected to handle them more carefully.
- Learning from employeesCompanies should take a good look at which apps employees use privately. From this, they can learn which functionalities are needed and which the company apps do not provide; if "official" alternatives are available, the risk from possible employee misconduct is reduced.
- Involve departmentsMany departments now decide for themselves which tools to use. Companies should ensure that IT and business departments work closely together so that meaningful apps are made available and security standards are adhered to in the process. IT and compliance officers must not act as "brakemen" but as constructive business enablers.
- Control infrastructure accessCompanies need to define exactly which apps are allowed to access which internal resources or cloud services. For example, they must define which email app is allowed to access the Exchange or Office365 server; unauthorized apps must not be allowed access.
- Provide the right appsWhen selecting approved apps, security and compatibility with stationary IT are important. Nevertheless, usability also has a high priority. Only if users are satisfied with the apps and can do their work without any problems will they not go looking for shadow apps.
"The basic problem of shadow IT is not the unintelligent users, but the IT decision-makers who do not take enough account of the employees' needs," explains Günter Junk, CEO of the Virtual Solution AG in Munich. "They generally want to work productively, so shadow IT is always a piece of practiced criticism; corporate IT should take that very seriously and focus more on employee requirements in the future."