When I first heard the term “Shadow IT”, I had just finished watching Batman Begins, so the first thing that came to mind was a group of super villainous techies working for the League of Shadows, trying to collapse society one network at a time. The true definition of Shadow IT isn’t anywhere near as colorful, but it can have a similar effect on your company.
Shadow IT is a term used to describe IT solutions built and used inside of an organization, without explicit organizational approval. Think of employees who start using services like DropBox for business purposes without asking anyone or letting IT know. Or, those who download and use chat, messenger or other applications within their team or department. These are just a few simple examples of Shadow IT.
Why does Shadow IT exist?
The simplest answer is speed and convenience. Individuals, or even entire departments, have business issues they need to solve and they want to solve them as quickly as possible. If they are not well educated in IT best practices, they don’t think of things such as information security, or even computer viruses. If the company doesn’t already have a service that solves their business issue, users will either ask IT to help them solve the issue, or if they have a short timeline to resolve the issue, try to solve it themselves. This is where they cross the line into the realm of Shadow IT.
Another common cause of Shadow IT is associated with a younger workforce. Younger workers have grown up in an age where they have been using computers and associated technology since they could first grab their parent’s smartphone or tablet. They have become accustomed to solving their own computer-related issues and tend to rely on their own tech skills, calling on IT less often than other users. Unfortunately, if they do not take into account things like information security, they can cause great harm to their employers.
What are the risks of Shadow IT?
Let’s look at the two examples I gave above, using external file storage like DropBox, and downloading applications from the Internet to solve a niche issue.
- Using external file storage sites, without proper protections put in place, allows potentially confidential or proprietary corporate information to be freely sent out to sites with unknown levels of security. Many of the file storage services offer both personal and professional versions, with the personal versions offering much lower levels of security. This makes it very easy for sensitive information to get into the hands of people outside of your organization, either intentionally or unintentionally. This can cause a lot of harm to companies and lead to legal issues as well. This isn’t meant to scare you off of external file sharing services. Many of them provide highly secured business services which allow control over what can be shared and with whom it can be shared, which can be configured to meet corporate security needs. Unfortunately, when these type of services are used without proper planning, bad things can – and do – happen.
- When people bring in software that has not been vetted by IT, or even worse download software from the internet onto a device that is used on the internal corporate network, many things can go wrong. No matter how sophisticated your firewalls and ant-virus software are, a determined user can still bring in software with hidden features like viruses, root kits, cryptolockers and more. These threats can easily spread throughout the organization once a single device is infected.
What additional concerns are there with Shadow IT?
Let’s face it, when things go wrong with IT related systems, no matter how or where they start, the finger will initially get pointed at the IT department. Even if it can be shown that the problem started outside of the IT department, it will fall on you to fix it and prevent it from happening again. This in addition to your other tasks.
Shadow IT also makes it impossible to know the true cost of IT and can lead to shrinking IT budgets. Many Shadow IT projects are run through employee credit cards and submitted as expenses so they never show up as an IT expense in any budget.
So, how do you get rid of Shadow IT?
The real answer is that you don’t. Just like your own shadow, you can’t completely get rid of it. However, you can work to make Shadow IT in your organization as small as possible. There are several things that you can do to bring Shadow IT under control:
- Identify where Shadow IT is in your organization and what it is being used for.
- Educate your organization about the risks of Shadow IT.
- Implement solutions to address the business needs being addressed by Shadow IT.
- Implement IT solutions and practices that allow you to respond to business needs faster and reduce the need for Shadow IT.
EDCi can help you take these steps, and reduce the risks that Shadow IT brings to your company. We’ll help you implement the proper tools to monitor Shadow IT and respond faster to reduce the need for Shadow IT within your organization.