Are rogue IT downloads harming your business?

Rogue IT is probably affecting your business right now. But do you need to do anything about it?

Rogue IT, the appearance of unapproved, undocumented, unsanctioned, and un-vetted technology without your IT department’s oversight, occurs in almost every organization. Years ago, adding rogue IT technology created complex problems in dealing with the addition of unknown hardware and software resources. But now, in a world where adding unapproved technologies can be as simple as clicking on a website link to add a cloud service, dealing with rogue IT can be an everyday issue — and a major one, at that.

But why would an employee decide to download such technologies? And, if such downloads are an inevitable part of today’s changing business world, how can you protect your business from potential harm?

The roots of rogue IT

When you talk to users about why they are implementing their own IT technologies and bypassing the approval process, their answers almost always boil down to two issues: either they needed something that IT could not or would not provide, or they felt that waiting for IT to provide a solution would introduce an unacceptable delay in their process. On the macro level, this simply highlights the need for IT and business units to make sure that they are on the same page. Unilateral directives — from either side — simply lead to problems as both groups end up feeling poorly served and unable to get their work done.

An IT group needs to be accessible to business units so that there is a free exchange of information. Business units that have specific needs that veer from the current IT plan need to be able to express these needs to an IT group. Furthermore, IT professionals need to be prepared to receive such requests, and be able to craft a measured, thoughtful response — not simply adhere to existing guidelines that might not cover the exact situation. A “one-size-fits-all” approach can greatly simplify the IT workload, but it may not allow business units to operate in the most efficient and cost-effective manner.

Preventing rogue IT

At the individual or group level, providing the proper education in IT and network resources can help stymie the prevalence of rogue IT, and prevent your IT department from having to lock down the computing environment and throttle productivity. Educating users on the potential consequences of their rogue IT actions may give them a bit of pause before they attempt to circumvent standing policies — while also promoting a sense of shared ownership of the network.

For example, one of the most common rogue actions is users taking advantage of simple web-based storage to store files that they want to be able to access from multiple locations — a core tenet of information mobility. Dropbox, OneDrive, Box.net, and many others offer simple interfaces for most platforms, desktop and mobile, and allow any user with an Internet connection to access the files. The problems that this can create, however, are many.

While these cloud storage services do make the files available to users wherever they like, they also have the potential to expose what may be proprietary business information to unauthorized users. Because each copy of the data only has the security settings the individual user has chosen to apply, there is no way to know exactly who has access to the data and who might have made it (often unintentionally) publicly available.

A proactive IT department could circumvent this issue completely by creating a business account on such a service. With an enterprise account, users have access to additional security and management functionality that many of these storage vendors don’t offer their basic users. Thus, the service is available to users who need it, but account access and control is back in the hands of IT, and not the individual users.

A measured response

To limit the impact of rogue IT, IT departments need to think out of the box. Today’s employees — whether with their mobile devices on existing networks, the addition of their own wireless access points with limited or no security, or the use of web services to store and manipulate business data — can easily download rogue IT programs that don’t require the approval or support of your IT department.

To combat this, the knee-jerk IT reaction is usually to just lock everything down. By tightly controlling access at the network layer, it is possible to prevent the use of public web services, additional networking hardware and most unofficial sources of services and applications. However, that adds a lot of extra tasks to the IT workload, both in dealing with the lockdown and the end-user complaints. For businesses with limited resources, this can create significant issues in terms of maintaining a strong data security posture.

Thus, a more effective way to deal with rogue IT would keep the internal IT department ahead of the curve. In order to provide sufficient services and adequate response times to meet end user needs, IT professionals need to adapt and become responsive to employees that would otherwise be driven to develop their own, unapproved technology solutions.