November 19, 2014

The Real Dangers of Shadow IT

Written by

Shadow IT is exactly what it sounds like: workplace technology that hides in the darkness—unseen, unapproved, and possibly dangerous. Sometimes referred to as “stealth IT” or “rogue IT,” shadow IT encompasses any systems and solutions that fall outside of organizational consent or standards for compliance.

The growth of cloud-based software, along with the continued consumerization of IT, have only sped up the shadow IT invasion. According to 2014 survey by PMG, roughly half (53 percent) of IT professionals now report that departments within the company rely on various forms of unauthorized technology.

“Cloud-based software has only sped up the Shadow IT invasion”Shadow IT is hard to track down in large part because of its diversity. When the CIO isn’t looking, business users often turn to a variety of unauthorized third party software, hardware, and services, including web-based email, cloud storage, VOIP and messaging software, homemade spreadsheets and macros, phones and mobile devices, and even USB thumb drives.

The name itself is intrinsically menacing. A Google search for “shadow IT” yields stock photos of masked bandits and burglars, demons rising up out of laptop computers, and a few grumpy cat memes (we can’t explain that one). It’s important to dig beneath such business myths and understand why your employees are turning to alternative solutions. Most of the time, there’s nothing malicious about it; they’re seeking things like usability, better support, more features, etc. Perhaps the solutions IT currently offers aren’t sufficiently powerful (or usable), so users work around them.

Even if employees aren’t trying to cause any harm though, that’s not a good position for IT departments to be in—one where they are obstacles, rather than enablers. It exposes the business to a new spectrum of weaknesses and vulnerabilities. These threats include:

Information Security

Hardware and software outsourced to a third party isn’t subject to the same security measures that IT-approved solutions are. As data and communications pass between these unauthorized systems and devices, it puts the entire organization at risk for data breaches, malware, and hardware theft.

Unauthorized cloud applications pose an especially high risk since they house data outside of company servers and are sometimes run by overseas companies with dubious security. A recent survey by Netskope revealed that 64 percent of IT professionals believe cloud services reduce their company’s ability to protect confidential information.

Data Silos

Because Shadow IT solutions slide in under the radar, they’re almost never integrated with existing networks. They’re brought in a-la-carte to meet the needs of individuals. For example, Employee A decides to take files for a team project home on his thumb drive (instead of saving them on the company server). While the motivation is pure, these files are now sequestered on Employee A’s thumb drive and home computer, inaccessible to the rest of the team. If the habit continues, that employee’s home computer—and possibly the employee himself—will become a “silo” of disconnected data.

Bottlenecks and Inefficiency

Networks compromised by shadow IT tend to defy standardization and cultivate waste and redundancy. Many times, shadow systems are brought in to perform tasks that the legacy system should perform, but for some reason isn’t.

Without no formal governance from IT, these outside systems divide user allegiance between multiple applications, forcing the constant importing and exporting of data, which inevitably leads to inconsistencies or data loss.

Reduced ROI

When an organization makes a software purchase—whether SaaS or licensed—it makes both an investment and a commitment to that software. For enterprise companies in particular, the large upfront expense of business software compels them to measure the ongoing return-on-investment (ROI) of that product. If half of your employees are turning to unapproved, web-based applications for functions your in-house software is supposed to perform, then you aren’t getting what you paid for. Little by little, shadow IT is siphoning off your ROI, and you may not even know it.

The potential costs of shadow IT are clear. As an IT professional, you know them well. So what can you do about it?

Try This:

  1. Don’t overreact: If you impose an outright ban, you might only push the IT black market deeper into secrecy. Like water traveling toward the lowest point of gravity, your employees are only trying to do their jobs as efficiently as possible, and you shouldn’t hold that against them. Instead of throwing down a manifesto, take charge of shadow IT and figure out a way to regulate it. As Mark McDonald, former GVP at Gartner put it, “Restructure rather than restrict shadow IT.”
  1. Practice what you preach: Research from Frost & Sullivan revealed that 91 percent of IT departments are self-reportedly using one or more unapproved SaaS applications for standard operations. Don’t do this. You can’t expect business users to abide by policies you don’t follow yourself.
  1. Embrace a “ITaaS” model: Too many IT departments have made themselves stumbling blocks to progress. IT-as-a-service doesn’t mean you’re moving the department “to the cloud.” In this case, it refers to the traditional definition of service. View your work as a service you provide—in competition, even, with the shadow IT solutions users are tempted to consult. With this mindset, you’ll focus on equipping departments to accomplish their goals, rather than on legislating rigid guidelines.
  1. Assess your current software and solutions: If a sizable portion of employees are supplementing their workflow with unauthorized hardware or third-party apps, it may be a signal that your legacy system isn’t performing up-to-par. Maybe your CRM software is missing the integrations your sales department needs, or maybe your accounting software needs to be linked to the business’s online accounts. Ask yourself if your existing system can provide for these needs, or if there’s a third-party service you feel comfortable endorsing.

*

As an IT professional, your mission is to promote the advancement of business goals through the proper use of technology. In a workplace inundated with tech savvy millennials, foreign devices, and instant access to new programs via cloud, that mission will require a deft balancing act between protecting security and compliance and giving employees the tools they need.

Have any tips for shadow IT you’d like to share? Think we left anything out? Let us know in the comments.