- January 5, 2021
- 3 minute read
Within large IT infrastructures with so many interconnected devices it is hard to keep a close watch on all the possible security issues. Taking in consideration the increasing Bring-Your-Own-Device (BYOD) trend adopted by many organisations it is getting even harder to keep a completely safe IT perimeter. Modern workers are used to reach for tools or even build their own ones to make their life at work easier. It happens all the time, often slips under the IT department radar and it carries a rather notorious name - “shadow IT”.
To be more precise, shadow IT refers to all IT projects and activities that are built and/or used inside an organisation but without organisational approval. Usually, Shadow IT grows out of pure necessity, as increasingly tech-savvy employees come up with their own solutions to specific business related problems.
Not long ago, IT departments had full control over all technology decisions but things have changed as new technologies are created and deployed extremely fast and different business units tend to adopt them even faster. Also, with the BYOD phenomenon in place where employees make their own choices about mobile hardware and software they are using for work, and with all the cloud computing, SaaS and PaaS applications around it’s practically impossible for IT departments to keep tabs on all these newly risen threat highways.
All too often, we hear of in-house IT personnel being completely in the dark about what's happening with technology in their own organizations.
At the very beginning when the term shadow IT was forged, it mainly comprised unapproved Excel macros and software bundles employees bought at the local supply store. Since then it has grown substantially, with Gartner having predicted shadow IT management would account for 35% of total IT expenditures in 2016.
The rapid growth is pushed by the increasing quality of consumer cloud-based applications such as file sharing apps, social media and collaboration tools, but it’s also driven by businesses deploying enterprise level SaaS apps. Although it may sound counterintuitive at first, it is now clear that Shadow IT can help businesses become competitive and employees more efficient.
What happens now is that while IT departments are no longer in charge for the infrastructure they are still responsible for ensuring security and compliance for the data employees upload to corporate cloud services. It means IT often has to say “no” to employees using various cloud apps for their jobs, or even block access to certain cloud apps through the company’s firewall.
But then again for every blocked app it’s easy for any tech literate employee to find a new, potentially riskier service as a replacement.
All it takes today is a credit card and a browser to purchase a low cost licence and have a new application up and running in virtually no time. After that, importing corporate data and integrating other corporate services can easily be achieved without IT even being aware of it. It’s clear at this point that imposing restrictions and preventing access to tools on corporate desktops is a pointless exercise on the long run as the pressure on employees to be productive is far greater than any concern over data security and corporate compliance. According to ComputerWeekly.com there are 4 key risk areas to consider with shadow IT:
If you can’t beat them, join them. With all the risks and downsides of shadow IT, a company’s natural instinct would probably be to try and clamp down on it as it’s probably seen as a threat to their business. But rather than fight it, it has proven to be much more efficient for IT decision-makers to admit their shortcomings and learn how to address the causes why Shadow IT shows up in the first place. Instead of seeing Shadow IT as a threat, it can easily be treated as an opportunity to leverage employees to find the applications they like and want to use so then IT departments can enable and implement company-wide those services that have gained traction and are enterprise friendly.
According to Ralph Loura, former CIO at HP
“We embraced the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.”
Promoting low risk shadow IT services that have reached a tipping point in employee usage starts with understanding what cloud services employees use, how they use them and the services associated risk.
As said earlier, IT departments no longer pull all the strings when it comes to servers, devices or applications being used inside an organisation environment. The upside is there are now plenty of ways to change how IT departments actually operate, so they can better meet business needs. Understanding and embracing the origins of shadow IT within a company might reduce or possibly even eliminate shadow IT altogether.
When IT departments analyze the use of cloud services across the organisation’s infrastructure, they often find Shadow IT is much more present (up to 10 times and more) than initially expected. Consider that today there are over 1,083 different cloud services being used by companies. It’s why it is no surprise that often IT departments discover services they have never even heard of before that are being used by employees. Also, the average company uses up to 57 different file sharing and other online services. Using such a large number of different services can obstruct collaboration between employees and departments. It’s why implementing a standardization on enterprise licenses for 2-3 services greatly improves collaboration and also reduces cost.
After auditing the risk of each service and its security implications, IT teams can then make informed choices about which services are most suited to be promoted or enabled to boost internal business processes. Stomping down on shadow IT can result in slower adoption of innovation and employee dissatisfaction which can hurt the organisation on the long run. While on the other hand, addressing it too loosely opens up unnecessary security and legal issues. To sum up, the key to success when dealing with shadow IT is to find the right balance between corporate needs, security standards and employee desires.
If you need help addressing shadow IT feel free to contact our experts at GlobalDots and resolve all your security and performance concerns.