Just as employees are known for using company devices for personal purposes, employees email company data to their personal accounts and store data on their personal devices or personal SaaS accounts, against or in the absence of BYOD/BYOC policies. These increasingly common practices have become known by a dark and sinister moniker: Shadow IT.
Shadow IT adoption will happen in your organization and probably already has.
So imagine your shadowy Shadow IT perpetrator. It could be a low-level employee, a senior executive, or anyone in between. This employee is a good worker, except for the fact that he is blatantly violating your data stewardship policies by keeping company data on his personal, unapproved device or SaaS account.
And then the employee loses said unapproved device. Or their personal password gets compromised.
Cleaning up the Shadow IT Surprise
The temptation for many employees in this bind – especially if they are sufficiently low on the corporate ladder – would be to never say a word about it, lest they get in big trouble and possibly lose their job. This puts the organization in a bind as well, because while it has an interest in ensuring employees don't put its data at risk in the first place, it has an even greater interest in knowing when that data is put at risk anyway.
So how do you encourage employees who have contributed to a data compromise because they violated company policy to come forward? How do you get employees to self-report?
"It starts with awareness," answered Bertrand Dussert, Oracle's VP of Human Capital Management Transformation and Thought Leadership, at a press and analyst roundtable discussion at Boston's Oracle CloudWorld.
This awareness, specifically, is not just of practicalities but also of company policy, which means having a company policy and documented process for just such an occurrence.
"These things can happen[;] if they do, these are the steps you take," said Dussert. The very existence of a documented process for this situation will encourage employees to self-report, Dussert explained, because the employee will assume that if the process exists, "It's happened to other people before" – and therefore coming forward and following the process does not equal an automatic firing.
Of course, that process and that policy have to mean something.
"The only thing worse than no policy is a great policy that's not followed," Sean Mahoney, partner at K&L Gates, told attendees at the recent NRS Technology and Communication Compliance Forum.
Of course, the same applies to the very problem at issue: mitigating the damage of employees not following policy. Therefore, Mahoney explained, you have to consider how you're going to mitigate the damage of noncompliance when designing a BYOD (or anti-BYOD) or similar technology-use policy. The first step to accomplishing this, according to Mahoney, is having a pulse on what your employees want and what they are inclined to do. Shadow IT often illuminates real needs within the organization.
"[W]hen my daughter was five or six years old, she decided she wanted a cat," related Mahoney. "The cat will tell you where its litter box is going to go."
Indeed, both Mahoney and Dussert observed, security and compliance take a backseat to Joe Everyman just trying to get his work done.
"[I]f [your employee-device policy] means that I'm less productive, you're just going to lose support from executives," advised Dussert.
"Your business people, like if they have the newest thing, like the phablet or the iPad or whatever the next thing is, they're gonna use it, and you don't have much control over it," said Mahoney, emphasizing the importance of damage mitigation over all else. "[O]ne of the hardest things to police is people who store things on [personal] hard drives [and the like;] they have iPads and they're gonna use them and you can't stop them[.]"
"I thank my daughter and the cat for that lesson," Mahoney added.
Shadow IT Damage Control via the Carrot and the Stick
Still, there has to be some policy reinforcement and some consequences for those who flout the rules. So how are these competing interests balanced?
"I like to use the carrot more than I like to use the stick," said Michael Stewart, assistant vice president and information security officer of the Federal Reserve Bank of Boston, in an interview with Enterprise Networking Planet. "The stick is really the last resort."
So when does "the stick" get used? How should punishment be determined? Stewart explains that when it comes to shadow IT, the factors are twofold: the employee's intent and the employee's role.
As to the first, Stewart advises looking to a pattern of changing behavior – i.e., "If John Smith does it, and he never does it again[.]"
As to the second, Stewart notes that there is a big difference between, say, an administrative assistant in a customer-facing department, and an IT worker who should know better.
"You have to think of the role of the person," advises Stewart. "If it was somebody on my staff [in the information security department], they wouldn't be on my staff anymore."
Stewart emphasized in his interview, however, that the Federal Reserve has "a fairly mature, risk-aware culture because of what we do[;] we encourage people to self-report."
On top of these considerations, there is potentially a third prong to take into account: the scope of the data compromised by shadow IT.
"[Y]ou can't answer any of those [questions] unless you know what data's affected," Mahoney told his audience.
All of these questions, then, become less of an HR issue and more of an IT issue and an issue for one's own department.
"I am not the punitive branch of the Federal Reserve," Stewart quipped. He notes that he and his department would make appropriate recommendations depending upon the above factors in case of such a self-reported data compromise due to policy violation – and that, ultimately, it's for the affected departments/stakeholders to decide what is the best way to handle the individual case. There is no one-size-fits-all solution.
In any event, experts agree that a non-draconian culture remains optimal when it comes to punishment.
"People will make mistakes [and] violate [company] policy," Yonatan Striem-Amit, CTO and cofounder of Cambridge information security startup Cybereason, told Enterprise Networking Planet when asked about this issue. "You really need to [ensure that] coming clean [is] the best insurance policy."
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.