Turning the tide: how the public sector can win the battle against shadow IT
Tackling shadow IT should be an urgent priority for government in the wake of the WannaCry breach on the NHS, says Julian Cook.
Shadow IT practices show up deficiencies in existing information management - Photo credit: Ole Spata/DPA/Press Association Images
Like many private sector businesses, organisations in the public sector are experiencing problems posed by the practice known as shadow IT.
This term denotes the use of IT systems and software inside organisations without explicit approval, which leaves those bodies vulnerable to security breaches.
With the recent NHS data breach in mind, cybersecurity issues are very much a current concern for the public sector.
According to a survey conducted by Vanson Bourne, shadow IT is rife in the public sector, with 33% of respondents saying that employees at their organisation regularly disregard corporate guidelines by using personal devices and file sync-and-share applications at work.
It is a widespread issue, and one that needs urgent action.
To combat shadow IT and reduce the risk of costly data breaches, public sector organisations need to seize the initiative across a number of fronts.
These include educating employees on the dangers, enforcing clearer IT usage policies and understanding the deficiencies in information management procedures that drive employees to shadow IT in the first place.
What is Shadow IT?
With many employees now accessing work resources on their own devices, and the availability of a plethora of software applications designed to make people more productive, unsanctioned IT practices are becoming increasingly commonplace.
Indeed, Vanson Bourne’s research revealed that 32% of public sector IT decision-makers stated that their employees used personal cloud services without the knowledge or approval of the IT department.
The rapid rise of shadow IT is giving decision-makers major headaches, and the biggest concern for IT departments is the potential security threat that lurks.
The use of unauthorised devices and apps by employees often goes unnoticed and unmonitored and, as a result, many organisations are facing the negative consequences of these unsanctioned behaviours.
These risks range from a loss of control of documents, to data loss, non-compliance issues and information security breaches.
According to the survey, 31% of respondents had experienced at least one security breach in the past year due to unauthorised employee use of personal file sync-and-share solutions at work.
With the General Data Protection Regulation (GDPR) coming into force next year, and with it the danger of heavy fines for non-compliance, it is critical that organisations maintain control and visibility of their documents and information-handling practices.
Confronting the dangers
To combat Shadow IT, public sector organisations need to tackle the issues from several different angles.
The first area is one that can be addressed by IT departments almost immediately. IT decision-makers need to review their current policies on the use of personal devices and file sync-and-share apps (if a policy exists), and make any necessary changes so that usage of these devices and apps are strictly governed.
By implementing and regularly enforcing such a policy, IT departments can communicate to staff the impact of not adhering to these guidelines, and how this could negatively affect the organisation.
The second area involves understanding what drives employees to embrace unsanctioned practices in the first instance. Human beings are naturally inclined to gravitate towards the easiest way of getting their work done, and the use of personal devices and applications in the workplace is no different.
While it is difficult to pry employees away from devices and applications with which they are familiar, these practices point to the fact that the needs of employees are not being met by the IT solutions currently available to them.
In most cases, this is due to deficiencies in existing information management solutions and approaches, or that no such solutions are in place at all. This, in effect, is the root cause of Shadow IT.
One way to address this issue is for public sector organisations to look at how simple-to-use enterprise content management (ECM) solutions can make a difference.
ECM solutions allow organisations to intuitively store, archive and manage information based on what it is, rather than where it stored.
This eliminates the need for traditional folder-based file structures, which are often a source of exasperation for employees looking to find, access and edit the correct documents.
By making this process much more straightforward, employees will be less inclined to turn to unsanctioned apps and practices in the pursuit of greater efficiency.
Turning the tide
Because IT solutions are often unfit for purpose, shadow IT has been allowed to creep into IT practices at public sector organisations.
The key to dealing with shadow IT is finding a way for information management processes to become as convenient and the solutions employees use in their personal lives.
If these challenges are tackled, the public sector stands a much better chance of avoiding another data breach like the one experienced by the NHS.
Julian Cook is vice president of UK business at supplier M-Files
Campaign groups Foxglove and The Citizens to launch court case in two weeks if practice is not stopped
Thirteen-strong team of tech experts brought together
Deals awarded to Post Office and Digidentity also include the transfer of data to government
Newly created entity will also focus on data infrastructure
PublicTechnology talks to Salesforce about why police forces need to adopt new omnichannel capabilities, offer the public channel choice and the benefits of doing so
It’s been one of the most challenging years for healthcare providers, but Salesforce sees lasting change from accelerated digital transformation
Cloud-based applications can provide ways for agencies and departments to innovate and operate in new ways, as the past year has highlighted they must, writes Oracle
Higher Education institutions are some of the most consistently targeted organisations for cyberattacks. CrowdStrike explores the importance of the right cybersecurity measures.