Shadow IT is used to reference any technology that has not been sanctioned for use by or is under the control of the IT team. Included under the umbrella term of shadow IT are devices, software, cloud applications, and web services. Shadow IT has been driven by the growth and accessibility of solutions that can easily be procured and deployed by individuals without formal technical support from corporate IT.
One of the biggest shadow IT challenges is data security. Corporate IT teams bear responsibility for sensitive data created, shared, and stored in shadow IT solutions that they do not manage. Other issues include difficulties with bandwidth due to unseen and unplanned usage, documents’ version control, and the costs of duplicated solutions.
Let’s jump in and learn:
Why Employees Use Shadow IT
Employees use shadow IT for a number of reasons, including to:
- Circumvent bottlenecks
- Avoid processes that slow them down
- Rely on software they are familiar with
- Use solutions that are compatible with mobile devices
- Work with legacy applications that are no longer supported
Employees’ perceptions, some more accurate than others, that drive the use of shadow IT include:
- Approved solutions are less effective than alternatives
- Approved solutions are more complicated and uncomfortable to work with than alternatives
- Approved software is not available on mobile devices
- Alternative solutions will improve productivity by helping them do work more quickly and effectively
Seven common shadow IT use cases:
- Data backup and storage
- File sharing
- Sharing through social media
- Mobile access
- Connecting through video conference and messaging
- Productivity Improvement
Shadow IT Risks
Even though shadow IT solutions can have benefits, many do not conform to IT requirements in terms of reliability, control, and security. Below are some of the risks posed by shadow IT.
Increased Risk of Data Loss
With shadow IT applications, the risk of data loss is elevated.
Many of these applications include file sharing, storage, and collaboration, which can lead to sensitive data leaks. Because they operate outside of IT, tools used to monitor data often are not able to identify and stop authorized use of sensitive data—especially when it is created using a shadow IT environment.
Data residing in shadow IT applications or storage are not subject to the rigorous backup and recovery protocols followed by corporate IT. Backup and recovery become the responsibility of individuals who do not have either the expertise or sense of urgency that corporate IT does. Without effective backup and recovery in place, critical data could be lost in the event of an incident.
Increased Risk of Data Breach
Shadow IT resources lack access controls provided by corporate IT. This means that unauthorized parties could see, modify, or pilfer sensitive information. Credential theft also poses a data breach risk since shadow IT resources, unmonitored by corporate IT, lack log data that could point to unauthorized access.
Shadow IT inherently has fewer security measures than would be imposed by a corporate IT team. With limited control over how data is managed; the provider or even individual users decide how to manage and protect company data.
Shadow IT lacks the multiple levels of security used by corporate IT teams; it does not have the redundancy and increased protections that corporate IT offers, where each layer identifies and stops threats other layers may have missed.
Patch management also presents a risk as shadow IT does not adhere to the schedules and processes that corporate IT teams do. Vulnerabilities, left unpatched, leave these solutions open to known exploits.
Because shadow IT puts individuals in control, data could be at risk. Unbeknownst to users, shadow IT solutions may not adhere to compliance requirements.
Employees often turn to shadow IT to improve their productivity, but they do not understand the ripple effects. Often, a shadow IT solution that is good for one person or group creates issues for another.
When users choose their own IT solutions, the potential for incompatibility increases—especially with files. This leads to breakdowns in collaboration and time wasted trying to deal with technical issues.
Also, because shadow IT is not supported by corporate IT, when technical problems arise, users are left to address them on their own without the benefit of technical expertise. That situation is exacerbated when primary shadow IT proponents and users leave the company.
Often, shadow IT solutions are just different versions of solutions already paid for and managed by corporate IT. This not only means that the organization is paying for the same functionality twice, but also that management time is duplicated.
With shadow IT, incidents can result in extended downtime. Because of users’ inexperience and lack of technical expertise, a fix that would take corporate IT just a few minutes can take end users much longer.
Shadow IT Benefits
Despite its challenges, shadow IT is not without benefits. When properly managed, it has advantages for both users and corporate IT.
Typically, employees use shadow IT solutions to meet specific needs that are not met with solutions approved by IT. These solutions can improve employees’ productivity and efficiency. They also boost morale, because users are able to select the tools that best suit their needs.
Often, shadow IT solutions surfaced by employees bring better or previously unknown solutions to corporate IT. Busy corporate IT teams do not have time to research new solutions, especially niche ones. Shadow IT can offer a view into innovative new technology that can benefit the entire organization as well as shine a light on solutions that are not meeting users’ needs and expectations.
Empowering users to choose the tools they use makes them more effective and engaged as well as increasing adoption. Letting users suggest solutions from shadow IT helps them feel empowered and satisfied.
Reducing IT Workload
Allowing users to select and use shadow IT solutions offloads support and management from corporate IT. Also, approving the use of a particular solution gives IT insight into what is being used rather than IT being forced to guess or remain unaware.
Shadow IT Examples
Following are shadow IT solutions that often exist alongside those approved by corporate IT:
- Online or cloud storage
- File transfer
- Personal email
- Website hosting
- Infrastructure / hardware
- SaaS solutions
- Productivity tools
- Workplace efficiency apps
- Social media
Managing Shadow IT
Rather than futilely attempt to eradicate shadow IT, it is best to develop strategies to manage it. Used correctly, corporate IT can benefit from shadow IT.
Consider the following when thinking about how to take advantage of shadow IT instead of fight it.
Understand the Need
Shadow IT use is driven by employees who want to bring the features of IT solutions they use outside of work to the workplace and to address needs unmet by corporate IT solutions. To help reduce shadow IT, give your users a “vote” when current corporate solutions are being end-of-lifed or nearing their contract renewal.
Locate the Shadow IT
Carry out an in-depth analysis to identify what shadow IT solutions are in use. This can be done with a combination of self-reporting and tools that can uncover applications and tools in use as well as those that have not been properly provisioned. In extreme cases, outside consulting help may be required.
There are always loopholes, but for certain problematic applications, firewalls can be used to block access to shadow IT. There are also tools that monitor the use of cloud services and can be used to suppress them. The risk of suppression is that it can drive users to go outside the corporate infrastructure where they can do what they want and be out of sight of corporate IT.
Identify Why Shadow IT is Used
Finding out the root causes behind shadow IT use is a shortcut to solve many issues. Often, the solution is simple, with corporate IT gaining control back and users getting what they need.
Instead of outright banning shadow IT solutions, consider bringing them into the fold. After determining what shadow IT is in use and asking users for suggestions, evaluate the options. For those deemed risky, explain why they should not be used. The others can be included on a list of approved solutions.
Reducing Shadow IT Risk
Shadow IT is inherently risky. To mitigate risk, users must be engaged in the selection or rejection of shadow IT solutions.
Corporate IT must tread lightly when dealing with shadow IT; by its nature, it is easily hidden. Take appropriate measures, but be aware of constituents’ needs and motivations.
Five Recommendations for Reducing Shadow IT Risk
- Understand the scale of shadow IT use.
- Evaluate the vulnerabilities of the shadow IT in use.
- Reduce the use of shadow IT by providing solutions that users want.
- Educate employees on how to appropriately use shadow IT and what to avoid.
- Develop and enforce corporate policies around shadow IT.
Shadow IT Policies
To effectively handle shadow IT, it must be acknowledged and managed. Creating corporate policy for it gives users guidance on what is acceptable and provides corporate IT with the tools to enforce rules. Considerations when developing shadow IT policies include:
Agree on acceptable levels of risk for shadow IT solutions, then categorize them.
Three key categories are sanctioned (approved), authorized (not approved but harmless), and prohibited (unsanctioned and potentially dangerous).
Establish policies for procurement to avoid redundancy and provide an accurate accounting of IT-related expenses.
Ensure that users understand why shadow IT policies are in place and how to work within those parameters.
- Open a Dialog
Provide a channel for users to share their thoughts about IT-approved solutions and make suggestions for new solutions.
Don’t Let Fear Get in the Way
Shadow IT can be scary, but it is not all bad. Taking time to understand the drivers and uses cases, then engaging with users to develop best practices for use, will go a long way to mitigating risks. There are cases where shadow IT solutions cannot be allowed, but there are often effective ways to integrate it and reap its benefits.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000 customers with millions of customers worldwide.