Turning the tide: how the public sector can win the battle against shadow IT
Tackling shadow IT should be an urgent priority for government in the wake of the WannaCry breach on the NHS, says Julian Cook.
Shadow IT practices show up deficiencies in existing information management - Photo credit: Ole Spata/DPA/Press Association Images
Like many private sector businesses, organisations in the public sector are experiencing problems posed by the practice known as shadow IT.
This term denotes the use of IT systems and software inside organisations without explicit approval, which leaves those bodies vulnerable to security breaches.
With the recent NHS data breach in mind, cybersecurity issues are very much a current concern for the public sector.
According to a survey conducted by Vanson Bourne, shadow IT is rife in the public sector, with 33% of respondents saying that employees at their organisation regularly disregard corporate guidelines by using personal devices and file sync-and-share applications at work.
It is a widespread issue, and one that needs urgent action.
To combat shadow IT and reduce the risk of costly data breaches, public sector organisations need to seize the initiative across a number of fronts.
These include educating employees on the dangers, enforcing clearer IT usage policies and understanding the deficiencies in information management procedures that drive employees to shadow IT in the first place.
What is Shadow IT?
With many employees now accessing work resources on their own devices, and the availability of a plethora of software applications designed to make people more productive, unsanctioned IT practices are becoming increasingly commonplace.
Indeed, Vanson Bourne’s research revealed that 32% of public sector IT decision-makers stated that their employees used personal cloud services without the knowledge or approval of the IT department.
The rapid rise of shadow IT is giving decision-makers major headaches, and the biggest concern for IT departments is the potential security threat that lurks.
The use of unauthorised devices and apps by employees often goes unnoticed and unmonitored and, as a result, many organisations are facing the negative consequences of these unsanctioned behaviours.
These risks range from a loss of control of documents, to data loss, non-compliance issues and information security breaches.
According to the survey, 31% of respondents had experienced at least one security breach in the past year due to unauthorised employee use of personal file sync-and-share solutions at work.
With the General Data Protection Regulation (GDPR) coming into force next year, and with it the danger of heavy fines for non-compliance, it is critical that organisations maintain control and visibility of their documents and information-handling practices.
Confronting the dangers
To combat Shadow IT, public sector organisations need to tackle the issues from several different angles.
The first area is one that can be addressed by IT departments almost immediately. IT decision-makers need to review their current policies on the use of personal devices and file sync-and-share apps (if a policy exists), and make any necessary changes so that usage of these devices and apps are strictly governed.
By implementing and regularly enforcing such a policy, IT departments can communicate to staff the impact of not adhering to these guidelines, and how this could negatively affect the organisation.
The second area involves understanding what drives employees to embrace unsanctioned practices in the first instance. Human beings are naturally inclined to gravitate towards the easiest way of getting their work done, and the use of personal devices and applications in the workplace is no different.
While it is difficult to pry employees away from devices and applications with which they are familiar, these practices point to the fact that the needs of employees are not being met by the IT solutions currently available to them.
In most cases, this is due to deficiencies in existing information management solutions and approaches, or that no such solutions are in place at all. This, in effect, is the root cause of Shadow IT.
One way to address this issue is for public sector organisations to look at how simple-to-use enterprise content management (ECM) solutions can make a difference.
ECM solutions allow organisations to intuitively store, archive and manage information based on what it is, rather than where it stored.
This eliminates the need for traditional folder-based file structures, which are often a source of exasperation for employees looking to find, access and edit the correct documents.
By making this process much more straightforward, employees will be less inclined to turn to unsanctioned apps and practices in the pursuit of greater efficiency.
Turning the tide
Because IT solutions are often unfit for purpose, shadow IT has been allowed to creep into IT practices at public sector organisations.
The key to dealing with shadow IT is finding a way for information management processes to become as convenient and the solutions employees use in their personal lives.
If these challenges are tackled, the public sector stands a much better chance of avoiding another data breach like the one experienced by the NHS.
Julian Cook is vice president of UK business at supplier M-Files
John Swinney tells Holyrood conference that most attackers are ‘exploiting the same basic failings’
‘Future is bright for data scientists in public sector,’ says department’s IT leader
Auditors flag up a range of targets missed and benefits not delivered
Jeni Tennison, CEO of the Open Data Institute, talks to PublicTechnology about the organisation’s work with government and how to balance risk and reward in the use of open data