When an accounting firm first starts growing, employees make IT and data storage decisions on the go, but before you know it, different employees are using different software as a service (Saas) products to store data, collaborate on work and submit projects and your IT team has no control over it.
This phenomenon is called shadow IT and it affects businesses in every industry. But as common as it is, it also represents a significant risk to your firm and clients.
When you don’t know which applications your employees use or where all of your sensitive data is stored, it becomes impossible to organize and manage who has access to it. If you’re part of the 92 percent of organizations who don’t know the scope of shadow IT within your company, you’ll want to work with a trusted data storage partner to complete the following process.
Step No. 1: Survey employees for shadow IT usage
Every day, new technologies are released that make your employees more productive and efficient, so it’s natural that they would take advantage of those products. But what many employees don’t realize is that using a product or service that hasn’t been vetted by the IT team may have a negative effect on security and compliance for your organization.
Alert your staff to the risks that can come with adopting shadow IT, including unencrypted data storage and connections, less-than-rigorous password systems, inability to meet important compliance standards and the legal issues around who owns the stored data. Ask employees to provide a list of services and subscriptions they use to conduct business so that the IT team can gain greater visibility over where data is stored.
Once your IT team has visibility over how employees use shadow IT, perform risk assessments on each technology. Ensure that each system meets your minimum password and compliance requirements, as well as any standards you have around encryption, mobile device accessibility, and usage.
When you understand the risk of each product, let employees know which ones they can continue to use and which they need to discontinue. Set a date for when you’ll need to block the apps that don’t meet your requirements and allow employees the necessary time they’ll need to transition away from the unacceptable options.
If possible, provide a recommendation for a similar app or technology that does meet your security requirements, so you don’t limit the team’s ability to perform.
Step No. 3: Proactively address threats
After reviewing your firm’s shadow IT usage, you’ll be able to define an access-and-usage baseline to guide your company’s technology management in the future. Use this baseline as a proactive way to uncover patterns of behaviors that don’t fit the norm that you can further assess as potential threats.
Then, develop strategies to address them. This proactive strategy – as opposed to reactive strategies like data loss prevention tools, firewalls and intrusion prevention systems – will give you more control over how employees are using apps and services to store and manage data.
Whether you work to limit all shadow IT or want to allow your firm to operate within a reasonable baseline of products, the key to keeping your data secure is to establish as much visibility, control and protection as possible. Work with your team to identify technology needs that can be met in secure, compliant infrastructure so you can benefit from new developments in technology and security alike.
We're proud to present the Technology Strategy series in association with AbacusNext who share our commitment to helping firms adjust to the digital world as safely as possible. AbacusNext provides a suite of best of breed services to accountants including OfficeTools Practice Management, Results CRM, and Abacus Private Cloud.