Are you managing ‘Shadow IoT’ in your organisation?
Many words have been written about Shadow IT in the past few years. This is the increase in IT deployed in organisations without the knowledge of the IT department, far more prevalent now that software, and indeed more complex arrangements like virtual hosting can be acquired in the cloud, using a credit card. I have seen it described as the biggest headache for CIOs and the source of uncontrolled data, damaging regulatory compliance, risking ISO 27001 accreditation and bringing about The End Of The World As We Know It.
I’ve always been more ambivalent about shadow IT, I see it as a necessary part of the evolution of business systems, as people innovate to improve their service. The idea that the IT department knows best is a futile one, as they do not operate at the edges of the business. In fact best practice is for them to maintain Enterprise Architecture from the centre, a position that has many advantages for organisations that want to maintain consistent business logic, reporting, and investment plans.
I’m less sanguine about the arrival of a new phenomenon, which is ‘Shadow IoT’. Innovation in the management of buildings, using smart technology exploited by more forward thinking Facilities Management teams, is on the rise and is bringing great efficiency benefits across the board – particularly in energy use. However, my experience is that this is very rarely aligned with corporate IT policy and practice. Indeed, much of this is managed by third parties and implemented during construction and commissioning of a new building.
Barely a day goes by without another report of poorly implemented security in ‘smart’ IoT devices used to control lights, heating etc, whether it’s an inherent design flaw or simply bad practice during installation. A recent survey into security in Building Automation Systems revealed that whilst 86% of systems are connected to the Internet in some way, and over half the respondents thought an attack could do significant harm to the organisation, only 29% had implemented security systems around their BAS.
Whilst attacks on buildings and systems can undoubtedly bring about serious problems, basic security flaws in design and commissioning can be more serious when the building network is connected to the corporate network. In the survey mentioned, this was the case around half the time. This can provide a soft ‘back-door’ into the wider information systems.
This is a concern for CIOs and corporate boards in general, managing information security on behalf of customers and their employees. Often the response is a corporatediktat prohibiting all connected systems without the express permission of the IT department, but this rarely works – see the example of Shadow IT. Realistically, the IT teams must be constantly communicating with their stakeholders across the whole organisation, including Facilities Management, to help them make sure they are doing their bit to maintain security.
Just like Shadow IT, the increase of Shadow IoT is inevitable and adds another layer of complexity to our digital footprints. It cannot be wished away, however, and must be managed with the co-operation of all involved.