Shadow IT refers to IT technologies, solutions, services, projects and infrastructure utilized and managed without formal approval and support of IT departments. Shadow IT technologies may not align with the organizational requirements and policies pertaining to compliance, security, cost, documentation, SLA, reliability and other key factors that determine the formal support of an IT system by appropriate decision makers in the organization. As such, users of Shadow IT systems bypass the approval and provisioning process and utilize the unauthorized technology without knowledge of their IT department.
Risks Associated with Shadow IT
While employees are able to conveniently complete the job tasks using Shadow IT systems, the technology introduces unprecedented risks, inefficiencies and cost to the organization, including:
- The organization loses control and visibility into the data migrated to Shadow IT systems. The risks include security and regulatory noncompliance, data leaks and inability to perform disaster recovery measures involving data in Shadow IT systems when required.
- System inefficiencies arise when data is stored and used in multiple infrastructure locations. If the organization isn’t informed of the data flows, IT departments cannot plan for capacity, system architecture, security and performance across data in disparate and siloed Shadow IT apps.
- Once a Shadow IT system becomes a critical part of the project and IT users need to scale the resources, the cost incurred by the organization to continue using the service may be unjustified. This is a common concern with SaaS applications such as cloud storage.
- For organizations subject to stringent compliance regulations, the risk of Shadow IT can have far-reaching consequences. For instance, if IT users at a healthcare institution store sensitive patient data in Shadow IT cloud storage solutions, they may be required to audit, identify and disclose the scope and impact of this incident. In addition to exposing privacy-sensitive information to cyber-attacks, the organization may also face costly lawsuit for noncompliance that may damage its brand reputation and business.
How to Respond to Shadow IT
Shadow IT is inevitable. Gartner research finds that an average of 30 to 40 percent of the purchases in the enterprise involve Shadow IT spending. A research by Everest Group found these figures are closer to 50 percent. As a result, organizations must take strategic measures to both reduce the need and the risk associated with Shadow IT solutions:
- Communication and Collaboration: Discover the needs of IT users. Break the silos. Enable easy, convenient and effective communication between IT departments and IT users, in order to understand the true needs, experience and feedback of end-users on existing and new required technologies.
- Education and Training: Inform users regarding the risks associated with Shadow IT and how the organization can assist in fulfilling the technology requirements without having to bypass the standard governance protocols. Security-aware employees that share the organization’s vision toward IT security are more likely to understand the risks associated with Shadow IT and will be encouraged to find appropriate solutions to address their technology needs.
- Streamline Governance: Develop an IT governance structure that facilitates innovation through the use of new technologies identified, vetted, available and provisioned for IT users at rapid pace. Develop user-centric policies and anticipate their requirements. Balance policy enforcement with the flexibility to evolve and respond to changing IT needs of end-users.
- Use Technology to Discover Shadow IT: Deploy technology solutions to monitor anomalous network activities, unexpected purchases, data and workload migrations, IT usage patterns and other indicators of Shadow IT practices. Proactive discovery can allow organizations to mitigate the risks of Shadow IT faster.
Assess and Mitigate the Risks: Not all Shadow IT technologies pose the same threat. Continuous assessment of technologies in use at the workplace can allow organizations to strategize risk mitigation activities based on the risk-sensitivity of every Shadow IT technology.
Establishing Policies Around Shadow IT
A critical first step for dealing with Shadow IT is to clearly map an organization’s global IT landscape per the impact that each family/group or individual resources will potentially have on corporate core business.
The CIO needs to list and classify the known market available Shadow IT resources in three categories: Sanctioned; Authorized (not Sanctioned yet irrelevant); Prohibited (not sanctioned and dangerous).
This is a corporate matter that does not merely concern a technical perspective and therefore should be dealt with by the CIO. This is something that impacts people and their motivation as well as potentially some business-critical processes or information, so the policy should typically be defined and sponsored at the board level.
Some key items need to be leveraged like:
- Since by law some information on a collaborator’s workstation (like emails) may be that collaborator’s property, should the workstation environment also be classified by the company as such?
- Is a collaborator entitled to use any tools that he/she may find suitable to boost his/her productivity if they pose no risk for the corporation? If so what is the registry/ \approval process that needs to be followed?
- What shall be the impact and compliance probability from the collaborators towards prohibitions? Meaning it is pointless to have someone spending hours trying to find a way to break a prohibition in place instead of doing their work.