What is shadow IT?
Gartner defines it as “IT devices, software and services outside the ownership or control of IT organizations.”
In other words, shadow IT is technology that employees use without approval, such as downloading a music streaming service to a company laptop or sending a sensitive document through personal email.
But if you ask three random people in business, you’ll probably get a variation on one of the following answers:
In this article, we’ll look at each of these views and their potential responses.
Why shadow IT demands your attention
Gartner forecasts that, by 2020, one-third of successful cyberattacks will be on data located in shadow IT resources (report available to clients). Businesses must decide now how to respond to shadow IT to alleviate future risks.
Shadow IT resources are inherently less secure because the consequences of their use are not as thoroughly considered as those that are IT approved. These resources also are not usually integrated with existing systems, which impairs reporting and analytics capabilities.
This doesn’t mean that shadow IT resources can’t be productive or an improvement over existing solutions, only that traditional IT processes are designed to consider the ways that authorized devices, applications, and storage mediums affect security and efficiency.
Resources approved by IT tend to be established and well-proven rather than cutting-edge and experimental. Traditional IT is also sometimes reluctant to embrace cloud-based technologies because it means giving up some measure of control to a third-party. This resistance to change can prompt individual employees, and even entire business units, to begin using resources without the approval or involvement of IT.
Shadow IT takes numerous forms
The shadow internet of things
As if shadow IT weren’t already complicated enough, businesses must now contend with the rapidly growing shadow internet of things (IoT). The methods by which data is collected, stored, and shared have grown to the point that our waking hours increasingly consist of one data interaction after another. Thus, in an age where we take data for granted, it’s easy to overlook the potential peril of installing a networked coffee maker.
And because IoT technologies are developed with novel human-machine interactions first in mind, security concerns are often an afterthought. Moreover, when security lapses are identified, IoT devices are usually difficult or impossible to patch.
IoT devices have data-collecting sensors and are commonly connected to company networks that aren’t segregated from sensitive data. IoT search engines, such as Shodan, can easily locate exploitable devices that can lead to data breaches or provide new and unprotected vectors for cyberattacks.
In fact, IoT security firm Armis recently warned that nearly half a billion IoT devices are vulnerable to takeover with DNS rebinding attacks. The report advised that businesses are particularly at risk because of the use of networked items such as smart TVs, printers, and IP cameras.
3 answers to the question: What is shadow IT?
This attitude sees shadow IT as an utter abomination of formal IT. A practice that makes a mockery of authorized IT protocol carried out by rogue employees who couldn’t care less about data security, compliance programs, or reporting efforts.
It’s hard to argue with this on merit. IT policies exist primarily to protect the business and maintain efficiency. But any attempt to eliminate all chances of exposure to shadow IT will include a total data lockdown.
A lockdown means that all data transmissions are closely monitored, permissions are revoked, and internet access is harshly restricted. And because bring your own device (BYOD) policies are ruled out, exorbitant investments must be made in company-owned devices. When shadow IT resources are discovered, the reaction is swift and harsh.
Another result is that employees feel micromanaged and thus resentful of company policies. If an employee accidentally prints 500 copies of a document and can’t pause the operation because their access is restricted, the result will be an unhappy employee AND a huge waste of paper.
Furthermore, tightly restricting employees can reduce their means and motivation to create new solutions that can benefit the business. And besides, even the tightest data lockdown can’t protect against something as simple as an employee taking a picture of a computer screen.
Recommended response: Announce a shadow IT amnesty.
To fix something, you must first understand it. By declaring at least a temporary amnesty, businesses can start a conversation about the reasons employees feel a need to use shadow IT resources and why they aren’t satisfied with authorized systems. This can inform management about gaps in processes and technology that employees have filled with their own solutions.
For example, if employees admit to using unauthorized productivity tools to help keep track of tasks or organize projects, management should consider a product that can accomplish those goals and be integrated with existing systems and applications, all under the purview of IT.
Task list in project management software Asana (Source)
Holders of this view tend to see traditional IT as inflexible and bureaucratic. Shadow IT only exists due to the failings of IT. It enables greater agility by overcoming IT processes that are slow, out-of-date, and suppressors of innovation.
The term shadow IT suggests something covert and fundamentally bad, so how can it possibly be a good thing? It’s simple. By embracing these resources, they are no longer in the shadow. They are now simply methods used by employees to do their jobs.
Furthermore, by allowing employees to move quickly and adopt new technology on the fly, companies can more easily compete in a rapidly evolving business landscape. Much of the knowledge that was once restricted to IT is spread out across the business. Employees are generally more tech-savvy and less dependent on formal IT than a generation ago.
Moreover, non-technical employees can now build entire applications without writing a single line of code using application Platform-as-a-Service (aPaaS). This means that employees from across the business have the knowledge and ability to make valuable IT contributions that—in many cases—should be taken seriously.
Recommended response: Develop a shadow IT risk awareness program
If shadow IT is to be embraced in your company’s culture, risk awareness is key. Include shadow IT and shadow IoT in risk awareness training programs. Correlate the use of unauthorized devices and applications with financial risks to the company.
The negative effects of shadow IT include downtime resulting from cyberattacks, fines resulting from compliance violations, and the exposure of proprietary information. These events harm the company’s bottom line and affect employees in the form of smaller pay raises or reductions in benefits.
Making these connections clear can foster an appreciation for—and provide a natural incentive to comply with—risk management policies. Employees with higher risk awareness are also more likely to lobby for a new solution and make their case for why it should be adopted, rather than going ahead and doing it secretly.
Purveyors of this view have reluctantly accepted that shadow IT isn’t going anywhere and trying to brute force it out of existence will be an exercise in futility. Employees are going to use unauthorized applications and devices to get their jobs done and the best solution is to ensure that it is on the company’s terms, rather than the employee’s.
Rather than wait for management and IT processes to catch up, today’s employees are able to find or create solutions to their problems, sometimes without even realizing they are using unauthorized resources. It’s common for employees to unintentionally participate in shadow IT, such as uploading a document to the cloud to work on it at home.
Cloud-based data storage, SaaS applications, and internet-connected everything have created a perfect shadow IT storm that can be nearly impossible for IT to navigate.
Recommended response: Adopt a cloud access security broker (CASB)
To contend with the relentless nature of shadow IT, businesses can employ a cloud access security broker (CASB) to monitor the use of cloud-based applications and analyze firewalls to gain visibility and discern threats. This information can help companies identify applications and websites that pose a threat and block or limit their use by employees.
CASB systems also allow the integration of data classification and security policies to automatically filter access to cloud-based applications and storage services. These features allow a relaxed attitude toward shadow IT while preventing data exfiltration and maintaining compliance. CASB software can be used by companies of any size but is more effective for those with 50+ employees.
Anomaly report in CASB software Netskope (Source)
It’s often the case that employees engage in shadow IT not out of defiance, but out of a desire to increase productivity and enhance collaboration. Better communication between management and employees regarding the tools required to do the job can address many shadow IT causes head-on so that needs can be met while maintaining the integrity of IT systems.
So, what is shadow IT? Is it abhorrent, beneficial, or inevitable?
Ultimately, it’s all three.
Shadow IT exists for a reason and business leaders should work to identify its causes and respond accordingly.
Note: The information contained in this article has been obtained from sources believed to be reliable. The applications selected are examples to show a feature in context, and are not intended as endorsements or recommendations.