If you’re an IT manager, you’ve probably heard the term Shadow IT before. Shadow IT refers to technology that your company doesn’t officially use, but that employees are using anyway because they believe it will benefit them more than the company-approved option would. A lot of companies even encourage their employees to use casual technology like personal laptops or smartphones, so long as it doesn’t interfere with work. While this might sound like an okay situation, Shadow IT has its risks and disadvantages.
Why Does Shadow IT Happen
The three primary causes for Shadow IT are: 1) Security 2) Privacy 3) Cost. When it comes to security, I’m not just talking about data security. I’m talking about user security—the feeling that our employers will never know we did anything wrong or skimped on policy when we break down and use a forbidden app in order to get work done. When it comes to privacy, we all want our business to be our business. As one of my friends put it recently, I don’t share my stuff at home with co-workers, so I don’t share my stuff at work with them either. It doesn’t have anything to do with trust; it has everything to do with being private in your life. And finally, cost. Shadow IT can oftentimes be cheaper than company provided products. Apps like Slack, Google Apps, Dropbox Pro, etc. are often much less expensive than licensing their branded alternatives. So users take advantage of these companies because they offer more flexibility without giving up support/service if things go south (which they will).
Types of Shadow IT
The types of Shadow IT vary but include everything from wireless mobile devices to covert mobile apps. There are three main categories:
(1) Bring Your Own Device (BYOD),
(2) Covert Apps and
(3) Out-of-Control Software Licensing.
Each category presents a different risk factor in a company’s environment. For example, a business that allows BYOD has a different security posture than one that has mandated solutions for each device type in its organization. Thus, just because an employee may bring his own phone to work doesn’t mean he can install an app without anyone noticing. Many employees fail to consider just how much information their employers have about them stored on company servers—and how accessible that information may be via remote desktop or VPN connection. If your corporation does not monitor these connections closely, you could very well be allowing malicious actors access to sensitive data with little way of preventing it. So even if someone isn’t taking advantage of existing avenues for bringing malware onto corporate assets, they may do so via Shadow IT. It also means that management must take steps to support users who rely on unofficial applications through regular patch cycles; doing so too often will quickly undermine trust between corporations and users alike. IsShadowIT a Risk to my Organization?: There are many benefits of Shadow IT, including saving time and cost while increasing productivity. However, there is always a tradeoff between convenience and security. So while some implementations may provide great benefits, others pose serious risks which outweigh any added benefits they provide. In some cases, instituting an acceptable use policy may help reduce some risks associated with shadow IT.
Problems With Shadow IT
While cloud-based services are flexible, intuitive, and easy to use, employees often circumvent corporate technology departments by installing personal software. This type of technology is known as shadow IT—and it can be risky for both companies and workers. Here are some reasons why.
Employees using unsanctioned applications aren’t protected against cyberattacks Although many third-party programs guarantee data security, attacks on customer information via employee PCs are common practice in 2015. Since cybersecurity attacks happen all too frequently today, there’s little doubt that information stored on unsanctioned applications or other shadow IT will eventually be compromised.
The IT department has no control over what data is being stored Given how prevalent cloud computing is, employees have a high degree of freedom when it comes to storing their own files outside an organization’s servers. Unfortunately, sometimes these documents contain sensitive company information.
Companies pay more than they need to With shadow IT, organizations don’t always know which applications their workers are using—or how much they’re paying for them (some plans require minimal monthly fees). This means that they may end up paying more than necessary for tech support.
Users lose out on automatic upgrades It can be difficult to keep track of new application updates, especially if a program gets regular additions. That’s where corporate IT departments come in handy: They manage app installs and upgrades so users never feel like they’re falling behind.
Businesses become less agile Because enterprise-level apps are designed with large businesses in mind, smaller firms might find it tough to implement solutions with advanced features. This could hurt productivity if your business needs advanced capabilities not provided by your current software.
A small group of people maintain all systems Corporate IT departments help ensure that one person isn’t solely responsible for maintaining an entire system; instead, staff share responsibilities across different fields.
Firmware installation is faster Corporate IT teams can arrange firmware installations at specific times so they won’t disrupt workflow—something most firms running unsanctioned apps simply can’t do without causing issues throughout their organizations.
Cloud storage drives up costs Cloud storage allows users to store more data at lower costs compared to on-site options. However, just because offsite options are cheaper doesn’t mean you should rely on them exclusively. Remember, if employees store data in only one place, it becomes much easier for attackers to compromise sensitive documents.
You risk losing talent If key members of your team spend time working with unauthorized apps, chances are good that they’ll leave once another opportunity arises—especially since talented professionals usually have several offers available to them at any given time.
Your business misses out on industry trends Even if your employees aren’t using cloud-based apps to get ahead of your competition, someone in their networks probably is. As such, you shouldn’t restrict employees from using cutting-edge technology. Moreover, staying on top of industry developments can give you valuable insight into how to run your own business more effectively.
Outsourcing can be more expensive than it seems Just because cloud-based apps are cheap now doesn’t mean they’ll stay that way indefinitely.
How To Manage Shadow IT
Let’s face it, as consumers, we all love new gadgets. Whether it’s a new phone or a shiny tablet PC, we have short attention spans for tech, so when a new shiny object comes along that can help us do our jobs better or be more efficient, it’s hard to say no. For your company, however, these kinds of decisions can be risky.
So how does an organization deal with individuals bringing in their own technology without risking security breaches or any other issues that come with allowing outside devices into your company?
The best solution is to create a policy outlining what employees are allowed to bring in. This way there are clear expectations between IT and users on exactly what they can bring in. If someone brings in something you don’t allow, explain why not without chastising them personally for making choices. And just because it doesn’t fall within that list doesn’t mean they can’t use them in some capacity. You may offer to loan out one of your very same tablets, smartphones or even laptops so long as certain protocols are followed. Creating a policy also helps mitigate potential legal liabilities in case something bad happens. From copyright violations to data theft and physical device damage, you want everyone clearly aware of what behaviour is acceptable and which ones aren’t. With clear rules in place, people will still find ways around them but at least having stated policies in place gives attorneys a clearer landscape when it comes time to figure out if things could have been prevented or what type of damages could occur.
A shadow IT policy serves another purpose as well, that being education. Being able to directly tell employees why they can’t bring in these items builds trust over time. Your company cares about protecting sensitive information and goes to great lengths to make sure nothing gets past them—it shows confidence in how good you are at doing your job. But no matter how thorough your policies are put in place, there will always be attempts at getting around them. New apps constantly pop up offering unique services or cool features that might look good to try out at work. As long as everything is running through your systems though, it’s easy enough to audit activity remotely and keep track of what users are doing on their devices.
Otherwise, know someone who works at a competitor and would like some insider information? That sounds like a huge liability waiting to happen, right? Regardless of whether your employees choose to follow specific guidelines or not, they need to understand that IT has ultimate authority when it comes to infrastructure controls. Instead of looking askance at every little thing someone tries to add though, remind them that while you value their input and ingenuity often times outsiders simply don’t have full knowledge of how complex network structures operate day-to-day. Encourage them to bring their ideas to you. An honest conversation upfront will give you an opportunity to let them know what’s possible, why it won’t work or simply show appreciation for their interest in wanting to improve efficiency. Put yourself in your employees’ shoes. Do you really think they are maliciously trying to hurt your company? Probably not. Most are legitimately excited about using new tools that they’ve had experience with at home or on their phones at night. They’re excited to be given a chance to apply what they’ve learned in real life.