Shadow IT and Bring Your Own Device (BYOD) policies can adversely impact the best-laid corporate plans if guidelines are not put into place in the beginning, and from the top. Today’s computer and mobile device users are quite familiar with how to download and install applications without any assistance from the company IT department. In fact, the average person uses more than 30 cloud services on personal devices; this includes file-sharing, collaboration, and content-sharing services. While these new tools have certainly changed the way employees work, they’re also changing the way businesses create, manage and dispose of information.
Gone are the days of clear-cut records. Today, organizations must look at all the information they create and collect, including emails, Tweets and other social media posts, online data and more, and determine how these new types of records will be managed in an ever-increasing regulatory environment. A records and information management (RIM) strategy alone is no longer enough—organizations must incorporate their records management into a broader, more strategic information governance (IG) plan.
What Is Shadow IT?
Shadow IT, by definition, is either hardware or software — and sometimes both — that are used within a business that is unrelated to and unsupported by the company IT department. This technology has not been approved by the firm’s IT specialists, and in some cases, they may not even be aware that it is being used.
The rise of BYOD and Shadow IT has largely been driven by employees themselves. Smartphones, applications and other cloud computing tools have dramatically changed within the past decade, and employees have embraced the convenience and ease of these new tools. Today, 67% of employees use BYOD devices at work, yet only 53% reported that their organization has a clearly defined policy allowing the use of these devices in place.
Risks of BYOD and Shadow IT
While Shadow IT hardware or software can be quite useful and cost effective, it can also introduce greater security risks if business security protocols are not put in place before use. A study by the Ponemon Institute showed that 45% of all applications used by organizations are cloud-based, yet IT departments only have visibility to half of those applications. This disconnect and lack of strategy could lead to:
- Loss of control and visibility of company data that is transmitted, stored and processed on personal devices or unsupported programs.
- Potential data leaks or disclosure of company information from unsupported devices or software due to hacking or other cyber threats.
- Accidental exposure of data due to physical loss or theft of BYOD devices.
- Devices with compromised integrity, such as smartphones and tablets that have been jailbroken or rooted.
- Compliance issues stemming from the lack of an appropriate IG strategy and adequate employee training that addresses personal device usage, password and security requirements and acceptable use.
Additionally, added concerns about email and text messages, even Tweets and other social media postings arise in the BYOD era. Many organizations still don’t have an appropriate IG plan, let alone a records management strategy, that defines or addresses how this information is classified. Without an IG framework that addresses these issues in place, this information may never be collected to create and retain as a record, and organizations could be missing out on capturing vital business information.
How Can RIM and IG Work Together Under the Pressure of Shadow IT?
While RIM and IG often get lumped together, they are not the same thing.
A RIM policy addresses the lifecycle of a document from creation to destruction. An IG strategy designates accountability for the successful management of electronic files created or collected within an organization. IG must take a broader, more strategic approach to ensure that all information is created, organized, managed and destroyed in ways that align with their organization’s goals.
With BYOD devices now a commonplace in most workplaces, IG leaders must adapt their frameworks to address the rising concerns that come along with using these devices and determine which cloud computing software and providers are right for their organization. Their solutions need to manage digital records and documents while mitigating compliance issues and increasing operational efficiencies. Additionally, the records management solution employed must corral and record the information that is disbursed via BYOD.
Fortunately, IG is not alone in today’s exponentially growing data environment. While Shadow IT and BYOD certainly impose new challenges on IG professionals, RIM leaders also face similar issues as workplace technology continues to evolve. By working with IG leaders in their organization, RIM professionals can play a strategic role in identifying the records and information employees are producing, as well as in developing the appropriate strategies and policies needed to support both a strong RIM and IG program without eliminating the technology that makes employees jobs easier.
It is possible for BYOD and IG to successfully coexist as long as a consistent IG program is instituted within an organization. This plan should clearly outline the organization’s commitment to managing its information stores and guide employees on best practices. Appropriate IG plans include rules for meeting compliance needs, reducing risks and contributing to operational efficiency and cost reduction initiatives. After all, Shadow IT supplies innovation at a faster rate than corporations typically can afford; overseeing and monitoring acceptable use is key.
Minimizing Risks and Ensuring IG
Using a powerful cloud computing records management system like FileBRIDGE® Governance allows businesses to protect and control digital documentation while still offering employees the ability to access and collaborate information from anywhere. Using any internet-connected device, employees can find documents, see where they are located, view the information contained and its retention expiration date. Combining the appropriate electronic records management and a thorough IG program centralizes data and allows for consistent enforcement, retention, and disposal policies while keeping everyone compliant with regulations.