Within large IT infrastructures with so many interconnected devices it is hard to keep a close watch on all the possible security issues. Taking in consideration the increasing Bring-Your-Own-Device (BYOD) trend adopted by many organisations it is getting even harder to keep a completely safe IT perimeter. Modern workers are used to reach for tools or even build their own ones to make their life at work easier. It happens all the time, often slips under the IT department radar and it carries a rather notorious name – “shadow IT”.
To be more precise, shadow IT refers to all IT projects and activities that are built and/or used inside an organisation but without organisational approval. Usually, Shadow IT grows out of pure necessity, as increasingly tech-savvy employees come up with their own solutions to specific business related problems.
Not long ago, IT departments had full control over all technology decisions but things have changed as new technologies are created and deployed extremely fast and different business units tend to adopt them even faster. Also, with the BYOD phenomenon in place where employees make their own choices about mobile hardware and software they are using for work, and with all the cloud computing, SaaS and PaaS applications around it’s practically impossible for IT departments to keep tabs on all these newly risen threat highways.
All too often, we hear of in-house IT personnel being completely in the dark about what’s happening with technology in their own organizations.
Cloud Propelled Shadow IT
At the very beginning when the term shadow IT was forged, it mainly comprised unapproved Excel macros and software bundles employees bought at the local supply store. Since then it has grown substantially, with Gartner having predicted shadow IT management would account for 35% of total IT expenditures in 2016.
The rapid growth is pushed by the increasing quality of consumer cloud-based applications such as file sharing apps, social media and collaboration tools, but it’s also driven by businesses deploying enterprise level SaaS apps. Although it may sound counterintuitive at first, it is now clear that Shadow IT can help businesses become competitive and employees more efficient.
What happens now is that while IT departments are no longer in charge for the infrastructure they are still responsible for ensuring security and compliance for the data employees upload to corporate cloud services. It means IT often has to say “no” to employees using various cloud apps for their jobs, or even block access to certain cloud apps through the company’s firewall.
But then again for every blocked app it’s easy for any tech literate employee to find a new, potentially riskier service as a replacement.
The Risks of Shadow IT
All it takes today is a credit card and a browser to purchase a low cost licence and have a new application up and running in virtually no time. After that, importing corporate data and integrating other corporate services can easily be achieved without IT even being aware of it. It’s clear at this point that imposing restrictions and preventing access to tools on corporate desktops is a pointless exercise on the long run as the pressure on employees to be productive is far greater than any concern over data security and corporate compliance. According to ComputerWeekly.com there are 4 key risk areas to consider with shadow IT:
- Software Asset Management (SAM) Compliance: Even with decent processes for handling acquirement of software licences in place, SAM by itself comes as a great challenge for IT departments. Using apps procured outside these processes makes SAM impossible which ends up exposing the company to substantial risks. When detected, unapproved software can result in a mandatory audit of the whole infrastructure as well of the associated financial plans necessary for compliance. Ultimately, an unlicensed or unapproved software can result in harsh sanctions for the CIO such as huge fines and/or jail time.
- Absence of Testing and Change Control: With all new devices and applications that enter the corporate IT infrastructure, the IT department has to check and set “change and release” processes for each piece to avoid security and performance issues. All of it is impossible with shadow IT as these processes get simply bypassed. One of the main drivers of using SaaS is that customers are always up-to-date and using the latest version. However, these upgrades can often result in system issues or even failures. The processes of handling changes, testing and releasing of corporate software is quite demanding by itself, with shadow IT adding another third-party related layer of complexity to it.
- Governance and Industry Standards: Companies invest lots of efforts and resources to ensure compliance with government and industry imposed regulations. They adopt ISO/IEC 20000 standards or similar to demonstrate a level of quality to customers. All those efforts get wasted if official documentation doesn’t reflect actual facts.
- Configuration Management: Defining relationships between systems and populating a configuration management database (CMDB) may take IT groups months or even years to complete. If then employees go outside official channels and procedures, key services may end up not being supported because of IT not being aware of them.
How to Address Shadow IT
If you can’t beat them, join them. With all the risks and downsides of shadow IT, a company’s natural instinct would probably be to try and clamp down on it as it’s probably seen as a threat to their business. But rather than fight it, it has proven to be much more efficient for IT decision-makers to admit their shortcomings and learn how to address the causes why Shadow IT shows up in the first place. Instead of seeing Shadow IT as a threat, it can easily be treated as an opportunity to leverage employees to find the applications they like and want to use so then IT departments can enable and implement company-wide those services that have gained traction and are enterprise friendly.
According to Ralph Loura, former CIO at HP
“We embraced the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.”
Promoting low risk shadow IT services that have reached a tipping point in employee usage starts with understanding what cloud services employees use, how they use them and the services associated risk.
As said earlier, IT departments no longer pull all the strings when it comes to servers, devices or applications being used inside an organisation environment. The upside is there are now plenty of ways to change how IT departments actually operate, so they can better meet business needs. Understanding and embracing the origins of shadow IT within a company might reduce or possibly even eliminate shadow IT altogether.
When IT departments analyze the use of cloud services across the organisation’s infrastructure, they often find Shadow IT is much more present (up to 10 times and more) than initially expected. Consider that today there are over 1,083 different cloud services being used by companies. It’s why it is no surprise that often IT departments discover services they have never even heard of before that are being used by employees. Also, the average company uses up to 57 different file sharing and other online services. Using such a large number of different services can obstruct collaboration between employees and departments. It’s why implementing a standardization on enterprise licenses for 2-3 services greatly improves collaboration and also reduces cost.
After auditing the risk of each service and its security implications, IT teams can then make informed choices about which services are most suited to be promoted or enabled to boost internal business processes. Stomping down on shadow IT can result in slower adoption of innovation and employee dissatisfaction which can hurt the organisation on the long run. While on the other hand, addressing it too loosely opens up unnecessary security and legal issues. To sum up, the key to success when dealing with shadow IT is to find the right balance between corporate needs, security standards and employee desires.
If you need help addressing shadow IT feel free to contact our experts at GlobalDots and resolve all your security and performance concerns.