Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the terms “Stealth IT” and “Client IT”, to describe solutions specified and deployed by departments other than the IT department. At one point, Shadow IT was merely employees using special or unapproved macros in Excel to get their jobs done faster. Now, Shadow IT can involve a small group of employees installing their own file-sharing services without realizing they are opening their company up for major lawsuits and data breaches.
How do companies develop their own Shadow IT habits? Sometimes an end-user will be stubborn and just not want to listen to IT rules and policies. While that may be the case sometimes, Shadow IT more often occurs due to the IT department not being able to, or in some cases, not be willing to help solve workflow and efficiency problems within their organization. If a department or team becomes frustrated enough with their current tools and workflow, they will often find a workaround to avoid putting in a ticket to IT because they feel it will go unanswered.
A major area of concern today is the rapid adoption of cloud-based services. The growth of Shadow IT has accelerated with the consumerization of information technology. Users have become comfortable downloading and using apps and services from the cloud to assist them in their work. This is often common amongst Creative and Product departments where there are constant file shares going on and the app or service within their workflow isn’t sufficient enough. I can’t count how many times I’ve found out XYZ’s company assets were being uploaded and shared to a client through John Smith’s personal Dropbox account, which is a huge risk to both the company and the client.
With the consumerization of IT, hundreds of these applications are in use in the typical enterprise. The lack of visibility into these applications also presents a major security gap. There are many file sharing apps and services that open ports to end-users workstations that make them vulnerable to outside threats, and if that workstation is on the company network, that puts the entire company at risk. While most applications are harmless, there have been many reports of applications adding backdoors or even crypto mining software without the end-users consent. IT and security departments need to know what applications are being used and what risks they pose
To counter this, IT departments need to have strategic meetings with end-users to address pain points. End-users are circumventing IT administration because they want to get their job done in an efficient and streamlined workflow, yet are lacking the proper tools to be productive. Some steps to prevent Shadow IT include but are not limited to:
-
- Identifying weaknesses within ITs policies and procedures that caused the need for users to go the Shadow IT route in the first place.
-
- Reestablish relationships with department heads and end-users that like to circumvent IT and try to nail down pain points to be remedied.
- Reinforce that IT is the single gatekeeper for technology within a business infrastructure and solutions and services need to be presented to them before implementation.
Taking a proactive measure will help reduce Shadow IT instances and also mitigate your company’s risk of vulnerabilities. Don’t wait until it is too late. If you don’t figure out a solution, someone else will, and it may not be a secure method of problem-solving.