“Shadow IT” is a term for IT projects that are set up by company staff without the knowledge, approval, or oversight of management. This phenomenon is not new: it has always gone on, with employees bringing in shareware apps and software from home. In the last decade the threat of Shadow IT has expanded greatly, thanks to the rise of cloud computing. Staffers can easily use the division credit card to launch projects with major cloud companies – without any management knowledge whatsoever.
- Cloud-based applications accessed directly from the network, such DropBox.
- Cloud-based, connected applications accessed anywhere online, from home or work, like Google’s G Suite.
- Off-the-shelf, packaged software. These can be Web design or graphics software, among many other types.
With all of these options available, employees have made the most of them. The advisory firm CEB estimates that 40% of all IT spending at a company occurs outside the IT department.
This does not sit well in some companies, especially highly regulated industries like medical and finance. Yet companies in fact gain from Shadow IT, arguably. While there are undoubtedly examples of malicious use, in the majority of cases, employees are paying out of pocket to make their business more competitive and more productive.
For various reasons, tech-smart employees bring technology into work that their employer does not use. In the Bring Your Own Device (BYOD) trend, people were perfectly willing to use their own smartphone or laptop at work rather than the company issue, which often fell short by comparison.
Instead of seeing Shadow IT as a threat, some companies view it as an opportunity to leverage employees to identify the applications they want to use to get the job done. And if they are willing to pay for it, so much the better.
Challenges Created by Shadow IT
The challenges created by Shadow IT are several and mirror regular IT issues. They are made worse by the absence of any governance or oversight.
- Loss of control: This is problem number one with Shadow IT. When IT has no control of an application, they have no control over who can access that application. You can’t control what you don’t know and the consequences for that can be severe.
- Data breach: In 2016, Gartner predicted that by 2020, “a third of successful attacks experienced by enterprises will be on their Shadow IT resources.” That’s because some cloud providers are better at security than others, while others aren’t as good as they think, as a few Hollywood actresses learned the hard way a few years back.
- Theft: This is obvious. A sales rep can steal a customer database by dropping it into their own DropBox – that only they can access. That database has effectively walked out the door.
- App sprawl: A term for many apps being used instead of one. Some employees may like Office 365, others Google G Suite, or LibreOffice. Cloud storage options are numerous: Box, DropBox, OneDrive, G Drive, and so on. The lack of central governance means people will pick and choose anything they want.
- Compliance: You're in trouble if you’re a law office and an employee puts legal documents on iDrive. In most highly regulated industries the employees are well aware of their industry’s regulation regarding customer privacy, but you never know.
- Inefficiencies: This may seem contradictory to the goal of Shadow IT, but it can have potential impact on the network if many employees are using high bandwidth apps they shouldn’t or possibly impacting company server performance.
- Wasted money: It could very well be that the company has exactly what an employee needs and the person does not know it. So they are wasting money on a service when it is already available to them.
Setting up a Shadow IT Policy
Shadow IT is ultimately a failure of communication between employees and management. As Phil Richards, CSO of LANDESK, told IT Business Edge, “the existence and growth of shadow IT are usually a sign that the central IT organization is not meeting the needs of the business.”
An RSA study reported that 35 percent of employees feel like they need to work around their company's security policies just to get their job done. You don’t want this kind of climate in your company.
So having open lines of communication between managers and employees is crucial to any business to prevent Shadow IT. New hires need to be told what’s acceptable and what is not, and also that there is an open door policy to better software/cloud ideas. Management needs to know there is a problem if staff feel frustrated in their efforts to do their work.
Therefore, the best prevention to Shadow IT is to adopt a well-considered policy to monitor software and cloud services. Encourage employees to submit ideas for brands and/or types of technology that enhance their job performance and efficiencies. Make careful decisions about adopting these technologies. Then communicate what is – and is not – allowed to staff.
A cloud governance board should be used to establish a catalogue of approved cloud services. Tell your employees which services they may use, which they may not use, and importantly, why. It could be some services are not regulatory compliant or have poor track records.
Shadow IT Discovery and Monitoring
Discovering Shadow IT isn’t that hard. Even if employees are not loose-lipped, their secret can get out. The most obvious one is traffic logs. Your networking equipment keeps a record of all inbound and outbound traffic, so monitor that traffic for popular cloud companies and storage facilities.
There is a growing need for the cloud access security broker (CASB) market. These apps help monitor a corporate network for unauthorized cloud application usage.
IBM jumped into the CASB market with its Cloud Security Enforcer service and Managed Cloud Data Protection. McAfee has its NVISION Cloud CASB, while Symantec has CloudSOC. Microsoft has two products, Microsoft Cloud App Security (MCAS) and Windows Defender Advanced Threat Protection (WDATP). There are many more products to help companies discover – and fight – Shadow IT.
Using these tools to uncover Shadow IT should not lead to punishment, unless there is a significant violation of security or regulatory policy. Rather, it should be looked upon as an opportunity to work with staff to help them better do their job, because (usually) that is their intention.