Shadow IT and rogue policy can cost you your job

By Darian Mavandad
July 29, 2022
6 min read
IT guy working at laptop

WhatsApp is a totally free messaging platform, right? Well, if your financial institution falls privy to rogue and lack-luster policy management, WhatsApp could cost you $125 million, as it did J.P. Morgan Securities. Shadow IT, often going hand-in-hand with rogue policy, has become more and more of a problem as employees gain access to computers in their pockets.

Before we dive into how Shadow IT and rogue policy are affecting you and your organization, let’s first take a look at each term closely, and define them for clarity’s sake.

  • Shadow IT: “The use of information technology systems, devices, software, applications, and services without explicit IT department approval” – Forcepoint
  • Rogue Policy: Policy that is non-complaint and has not been vetted and approved by proper departments, and most importantly, does not live on your single source of truth.

With these definitions in mind, let’s dive into how to assesses if your organization has fallen privy to Shadow IT and rogue policy, the impacts, and how to quickly solve any holes in compliance management.

Shadow IT syndrome: are you infected?

Before we can even begin to discuss solutions for Shadow IT and rogue policy, it’s important to figure out if you are plagued by these malaises in the first place. There are a few warning signs to look out for:

1. Employees are using personal phones and laptops (without IT approval)

BYOD has been adopted by a significant number of companies, from small to large (notable: Intel), but there needs to be clear and proper policy for a bring-your-own-device office. Some industries are bound by outside regulation preventing them from allowing employees to use their personal devices for work. In the United States, there is regulation in place for financial institutions, where all broker-deal records must live in a system or medium that “preserve[s] the records exclusively in a non-rewritable, non-erasable format”. This can cause an issue for the use of personal devices that feature encryption secured with remote-wipe, such as Macs running MacOS Monterey or later. When employees begin to use their own devices without the approval from IT and other key departments, compliance is affected, and policy needs to be set.

2. Work-related files and documents are being shared on a non-IT-approved channel, such as Google Drive or DropBox

Device with lock on it

Employees that use non-IT approved software to share documents and files are also at risk of breaking the same regulations as mentioned above. The cloud (whoever the provider may be) is notorious for not being easily auditable. If ever your institution was required to show a log of all files created and deleted, an unauthorized cloud solution would actively work against the audit-ready file sharing you as IT have set-up.

3. Employees are using personal email accounts to conduct official business

As IT, you have gone to great lengths setting up email servers that comply with regulations relevant to your industry. For example, if you are a financial institution, your email servers comply with US regulation that all employee communications are retained for seven years, per the Sarbanes-Oxley Act of 2002.

Personal email accounts rarely have such compliant measures set in place, and if your company were to get audited, it would be those personal email accounts or even other messaging solutions (WhatsApp, SMS, iMessage) that could cost your organization hundreds of millions in fees (not to mention the cost of legal representation and loss of business).

What are the business impacts of Shadow IT and rogue policy?

Judge ruling against a case

As discussed above, when employees adopt systems and services that are not IT approved (hence, the emergence of self-governance and Shadow IT), they put your organization at risk for audits and hefty fines and fees, not to mention a potential loss in business and revenue.

That falls squarely on your shoulders.

You are hired to ensure that all information technology systems, services, and devices are compliant with appropriate federal and state legislation. By allowing rogue policies and Shadow IT to take over, you have failed. It’s your responsibility to stay on top of such things, and to ensure your reputation and job remain intact.

And the fees and legal repercussions for your organization can be eye-watering. This blog opened with an example from J.P. Morgan Securities and their WhatsApp use. Breaking that down, what really resulted in a problem was that the use of WhatsApp as an employee communication platform broke the aforementioned Sarbanes-Oxley Act of 2002 that requires record keeping of all communications. When the SEC caught wind of this (either through deliberate whistleblowers or loose lips), J.P. Morgan was hit with a $125 million dollar penalty. As a result, dozens of J.P. Morgan employees were fired or had their bonuses cut. Don’t let that happen to you and your colleagues!

The SEC also performs regular and random audits to financial institutions of all sizes, including smaller credit unions. And these credit unions are still held to the same regulation and standards as all other large banks and firms, and failure to do so can result in equally high penalties.

Help! Shadow IT has taken over!

One of the key reasons that rogue policy and Shadow IT are running rampant is that an organization lacks a centralized hub for all policies, documents, knowledgebases, and support ticket submissions to live—at IC we call this a “single source of truth”.

Your intranet is the ideal place for such policies to live, as everyone in your organization has access to it, and it is purpose-built with features that support and elevate compliance. Working closely with HR, you as IT can create a database of all important policies—and create new ones as you see fit—and ensure that all employees have read and agreed to them. This way, you have a log of all the precautions you took to ensure the systems used in your financial organization met important federal laws and regulations and avoid $125 million fines.

Avoid Shadow IT and put all your policies on an intranet ASAP

While certain Seattle-built intranets may be widely used amongst the industry, they lack important features that bolster them as a single source of truth within an organization. With Intranet Connections’ software, you are getting an out-of-the-box solution that requires little set-up, with powerful policy management tools built right in—such as read and agrees, and Push communications reminding employees to comply with your policies. Furthermore, as many of our 1,600 clients are in the financial industry, we have put together many resources, including success stories, tools and templates, and blogs on how to best utilize a financial intranet.

Don’t wait, book a demo and learn about all our compliancy boosting features today!

By Darian Mavandad

Darian has a degree from McGill University, and joined IC to empower internal communicators by creating content that inspires. In his free time, he loves traveling, reading, and skiing.