You’ve probably heard the phrase Shadow IT before, but what is it? What does it actually mean, where does it come from and how do you deal with it in your business?
What is Shadow IT?
In simple terms, Shadow IT refers to technology solutions being used by employees that bypass controls or limitations within the managed IT estate. It’s not just unapproved applications. It could be any form of IT that’s being used by employees without the knowledge of the IT team.
Users often turn to Shadow IT activity because they can’t get what they need from the applications the business uses or the controls it may be placing upon them. It’s not therefore typically a malicious activity. More borne out of frustration with limitations hindering productivity.
With that in mind, to an extent it could be perceived that shadow IT has benefits for a business. Your staff are keen to get work done and have used their initiative to actively seek out ways to speed things up, introducing innovation, increasing efficiency, throughput and perhaps profits.
Is that really the case though?
What are the risks of Shadow IT?
A lot of the time, controls exist to protect users and company data. Blocking sharing of data, access to certain types of website or preventing the use of specific applications are important not only to prevent malware or ransomware infections, but also to prevent people doing things by accident, or just maintaining visibility of data wherever it may be within the estate. As soon as uncontrolled applications come into the mix, everything put in place to comply with security policies or maintain compliance become ineffective.
Hidden IT costs
Often users will be paying subscription or usage fees for the shadow IT systems they may be using. Sure, that’s coming out of a budget somewhere, but not necessarily allocated to IT. That raises challenges with understanding the return on investment with solutions you as a business have paid for to address perceived challenges. If users are bypassing such systems the implementation and running costs are being wasted.
A digital transformation strategy won’t work if users seek out and implement tools that enable them to maintain old, inefficient ways of working. Encouraging adoption of new solutions through effective training is important to ensure the success of such strategies by not losing the support of the user base.
Why is Shadow IT on the rise?
With the changes in working practices that have come about during the last few years, specifically with the COVID-19 lockdowns, users working remotely have been faced with more challenges than ever before. The effect of that has been a sharp increase in the use of shadow IT. Check out some of the statistics:
- 59% increase in shadow IT use since the beginning of the COVID-19 pandemic.
- 35% of employees admit they have had to work around security policies to get their work done.
- 67% of teams have introduced their own collaboration tools.
- 83% of IT professionals reported that users have been known to store company data in unapproved cloud services.
- 1 in 5 organisations have suffered a cyber-attack as a direct result of shadow IT use.
Solutions to avoid Shadow IT?
- Messaging apps like WhatsApp or Snapchat
- Cloud storage such as Dropbox, Google Drive and personal Microsoft OneDrive accounts
- Personal communication apps – Teams, Skype, other VOIP platforms
- Productivity tools like Slack or Trello
The user base are generally viewed as the weak link in the chain here, but that weakness can be created by other elements and it’s important to appreciate they exist. For IT departments, control is the key to security when addressing that weakness in the user base. However, control taken too far for ease of management wraps red tape around productivity. That in turn leads to shadow IT, and IT teams cannot control what they cannot see.
The focus therefore needs to be on giving users the tools they need, coupled with the freedom and flexibility they need to work with maximum productivity, from anywhere. That means adopting the principles of the modern perimeter as discussed in an earlier blog, adopting IT management and security frameworks and keeping a finger on the pulse of the users through training and feedback.
One thing that’s abundantly clear is that wrapping them in chains does not work…
Infinity Group are IT Security specialists, if you are keen to discuss how to overcome the shadow IT your business may be at risk to or experiencing, please get in touch to speak with one of our IT Security consultants.