Shadow IT is a relatively new name for a rather old problem – Risk. Since the name does carry a somewhat sinister implication, it’s not too far-fetched to ask the question: “Should I be worried?” The short answer is YES once you understand what shadow IT is and how it is happening in your organization as you read this. Shadow IT happens in almost every business, now whether it is good or bad will depend on who you ask. People will find workarounds when the company hasn’t given them all of the tools and resources they need to do their jobs effectively. This workaround help get the job done but at what cost?
Even the statistics are a bit muddled; an astounding 77% of IT professionals believe their organizations could benefit from embracing shadow IT solutions. Yet, three in four IT professionals surveyed by McAfee agree that shadow IT could become a major issue for organizations if left unchecked and unmonitored.
The fun fact is that a lot of organizations don’t even know about it or that it even poses a risk to the organization. I have met many business leaders who view workarounds as a good thing since they didn’t have to buy anything or spend any money to get the job done but that is exactly how this risk grows higher for the company; no one is asking questions or putting parameters on what folks are downloading until it’s too late. According to this report by New Zealand’s NCSC (National Computer Security Center), at least 60% of enterprises fail to include shadow IT in operations and IT threat assessments; and only 8% of the asked global organizations in this survey, believe they have a grasp on the number of unsanctioned IT Tools in their company.
It's clear that the data suggests with Shadow IT both bad and good outcomes. The relevant takeaway is that Shadow IT is not just an untapped field for most organizations, it is also difficult to control for those who are aware of it. Our insight is that Shadow IT is a problem if you aren’t monitoring what people are using and why they are using those tools and at what risk to the company.
What is Shadow IT?
When the average person thinks of IT, they may think IT is helping set up my computer or help me convert a PDF document to a word document, but IT actually doesn’t really cover the user level of systems and programs. Sure, they will help you set up your computer on your first day but they are really connecting your device to the server and making sure your connection is secure, as in cyber security. Gartner defines Shadow IT as the unsanctioned use of “IT devices, software, and services outside the ownership or control of IT organizations”. Put differently, the term describes the use and management of any IT service, technology, solution, or infrastructure without the formal approval and support of IT departments.
They are unapproved typically because they were not vetted through the usual IT vendor onboarding processes -thus, they “shadow” the sanctioned IT apparatus. The implication is that there is little visibility into the compliance and security ramifications of some of the unsanctioned devices, data, and applications that are being used.
As to what or which devices qualify as shadow IT, the distinction is usually that it is procured, deployed, used, and managed without the approval, supervision, or oversight of the IT department. Some of the techs that can be typically included under the umbrella of Shadow IT are as follows:
Personally procured software installed on organizational assets;
Cloud-based storage solutions (Box.com, Google Drive, Amazon S3, etc.);
Third-party SaaS applications (data analysis, business intelligence, HR, etc.);
Anything that plugs into an organization’s network - (Wireless access points, Routers, Switches, Printers, Personal Computers)
Personal storage devices (External hard drives and USB sticks)
Chat/Messaging applications (Slack, Skype, WhatsApp, Signal, etc)
Whilst there are no inherent problems with the use of these techs – they often provide flexible workaround solutions to employees when they need to skirt problems during the course of their work. The problem is that they might have security standards that are below your organization’s normal risk thresholds pertaining to:
Interestingly, there is no handle on a class of people who form the “usual culprits” with Shadow IT. Especially as users are generally found on various rungs of the enterprise ladder- from the Chairman of the board to the front desk employees. The real why happens at a user level trying to solve a problem that the organizations current technology con not or does not solve for them. They may not even mention it to their superiors because they too do not understand the risk implications that come with using unapproved software.
In any case, a huge part of the problem lies with organizations either failing to offer adequate support for technologies that IT users require; or making the governance, approval, and provisioning process rather problematic and unattractive to employees.
What are the benefits and Risks?
Notwithstanding the many risks and challenges that come with shadow IT, there are certain benefits that are apparent, and even more so, that enterprises are starting to embrace. They include;
Improved productivity. The fact remains that employees adopt shadow IT practices to fulfill their job requirements in ways that make their life easier. It is safe to assume that they do so because shadow IT does help get work done better, and faster.
Employee Satisfaction. This is something that’s unavoidable, given the breakneck pace of business in most organizations today. It is commonplace that employees find the current tools and solutions at their disposal insufficient, and look outside to tools that help increase their productivity, and meet targets.
Unsurprisingly, there are tons of disadvantages and risks that come hand-in-hand with the use of Shadow IT. While employees are able to complete tasks at their convenience using shadow IT systems, the technology introduces unprecedented risks, inefficiencies, and costs to the organization, such as:
Non-compliance. Organizations that operate in industries that are subject to stringent compliance regulations, can suffer far-reaching consequences because of shadow IT use. These industries are subject to such stringent compliance regulations, chiefly because of the risk that their operations post to customers, clients, and the general public. Thus, any use of shadow IT creates additional audit points, to which proof of compliance must be expanded, especially if it involves software that leaves the confidentiality of sensitive data very doubtful.
Increased vulnerability to cyber-attacks and data loss. Since the infringing technology is deployed outside of company oversight and creates unmanaged data repositories outside of established security parameters –none of the company’s penetration testing, intrusion detection, security information, and event management (SIEM) systems, or threat log management will cover shadow IT. The result is an increased possibility of attack and greater vulnerability of company systems to such attacks. Major data breaches, like SolarWinds, are impacting large numbers of companies because IT departments weren’t aware that SolarWinds software was present because it had been downloaded by an employee for free.
Systems and Operations inefficiencies. When there’s a randomness to the tools and methods relied on by different employees to get their job done, collaboration might decrease or become less efficient. Example: If one team uses Google Drive for file sharing and another team uses Dropbox, documents will get uploaded, downloaded, and edited multiple times. If the IT department is not informed of the data flows, they cannot plan for capacity, system architecture, security, and performance across data in disparate and siloed shadow IT apps. The result is that analysis and reporting become skewed and more complicated thanks to multiple data versions existing in different unmapped locations.
Hefty costs. Apart from the huge penalties that may be incurred due to non-compliance, there are also other avoidable costs that will overtime accumulate and hinder long-term IT acquisitions and strategies.
Discover and Manage Shadow IT with Process and Tech Mapping.
Data Mapping is the quintessential silver bullet for companies seeking to reduce the occurrence and attendant risks of shadow IT. Creating a data map of the processes and technology deployed in your organization allows IT to track anomalies and increase transparency through a digitally accessible, interactive map of your entire operation.
Stack mapping is essential if you are to discover the various locations of shadow tech deployed within your organization with key information regarding its purpose and handling. Not only will the increased visibility lessen your risk, but you will be able to garner insights regarding the purpose of this shadow IT and determine if they simplify workflows and can be fully on-boarded, or if they create vulnerabilities and are to be discarded.
Shadow IT poses a risk to organizations that know fully understand their operations. Your internal operations are dependent on all four pillars your people, process, technology, and customer experience; a gap in any one of those pillars will create the perfect environment for Shadow IT to make its way into your business. A gap in your technology also means a gap in your workflows, a single source of truth when it comes to your data, and your people whether that’s onboarding, offboarding, or out of office. You’ll want full insight into your business’s process and technology to fully understand both the how and why.
About the author:
Cornerstone Paradigm Consulting, LLC is an industry-agnostic global business operations consulting firm going beyond the symptoms to get to the root cause of your business issues.