For businesses and other organizations, it’s important that IT admins have complete control over the systems to improve security, maintenance and help users troubleshoot issues. When admins have control over systems, it can also prevent something known as shadow IT from occurring.
We detail below more about what shadow IT is and its business implications.
The Basics of Shadow IT
Shadow IT is a term that refers to employees using software, devices, services, applications, and IT systems outside of the approval of the IT department or their employer. Because of how much cloud adoption has grown in recent years, shadow IT has become increasingly pervasive.
Other names include rogue or stealth IT.
In one survey, 80% of employees said they used applications at work not approved by IT.
Often, employees start using these tools to make their jobs easier or improve their productivity. They might find a better way of doing something than what’s officially sanctioned by IT, or there may be a gap altogether that the employee wants to fill on their own.
Shadow IT isn’t inherently a bad thing if it’s helping drive innovation and productivity. The big problem is typically the potential for security risks and compliance violations.
Why Do Employees Use Shadow IT?
A touched on above, research finds the primary reason employees use shadow IT is to be more efficient. A lot of employees feel like they have to work around policies outlined by their employees to get things done, and they’d rather simplify how they do things.
Shadow IT can happen even more pervasively in workplaces with bring-your-own-device policies.
SaaS offerings are the most common form of shadow IT systems. Commercial desktop products and apps for phones and tablets are also somewhat common.
Specifically, beyond SaaS options, some of the sources of shadow IT that are most frequently seen in the workplace include:
- File storage solutions
- Productivity, project management, and collaboration tools
- Messaging apps
- Email services
While we’ve touched on the general reasons, particular reasons employees use shadow IT can include:
- Employees don’t think the approved services and software are efficient
- They aren’t comfortable working with approved software, or they find it complex
- The solutions available aren’t compatible with their devices
- Employees don’t understand the scope of security risks stemming from shadow IT
What Are the Risks of Shadow IT?
As mentioned above, shadow IT isn’t all bad if it’s helping improve productivity, efficiency and innovation. It comes with some pretty significant risks too though.
- There’s a lack of IT control. If your IT team doesn’t know software exists within the network, they can’t determine that assets are secure and the software is safe to use. Anytime IT lacks control and visibility, it creates larger attack surfaces.
- Employees using shadow IT could lead them to access data they shouldn’t have, and there’s the risk of critical data loss. There’s the potential an application not approved might not have data backups, and an employee isn’t likely to have their own recovery strategy.
- Software vendors are constantly releasing new patches to deal with errors, bugs, and vulnerabilities. Your IT team is responsible for keeping on top of those updates, which you lose with shadow IT. Your team isn’t aware of the updates because they aren’t aware of the solution being used.
- Using unapproved software or applications could cause compliance issues. Under the General Data Protection Regulation (GDPR), for example, you’re required to process your users’ data fairly and transparently. You can’t know that you’re doing that if you don’t know what your employees use to do their jobs.
- In some ways, shadow IT can boost efficiency, but it can also impede it.
What Can You Do?
In general, some of the things you can do to prevent or avoid shadow IT in your organization include:
- Outline the risks specific to your organization.
- Work with your employees to be transparent about what they’re using. You may find that the tools they’re using are promising solutions on a larger scale.
- Train employees generally about cybersecurity and their role in keeping data safe, as well as the possible ramifications of using software that isn’t trusted.
- Make sure your IT department is balancing convenience and security when choosing solutions.
You want to make it an organizational priority always to test different technologies and make sure you’re using the best ways, so rather than working against employees here, work with them and consider their concerns.