Shadow IT is a term that covers the reality of intra-enterprise information-technology solutions that compensate the busy schedule of the official IT department. The occurring issues in the tech field are resolved outside the explicit organizational approval.
Factors that generate shadow IT
- Mobility allows every employee to access the Web whenever and wherever – thus increasing the tech knowledge and solutions’ availability.
- Cloud availability offers the opportunity for non-IT personnel to reach independent solutions instead of waiting for the IT department to make time for their problems.
- Cloud-based apps increase in numbers and are more and more easy to use – they provide connectivity and useful tools, and come with their own IT assets, which are outside the company’s control. Off-premises software-as-a-service (SaaS) activities are therefore performed from inside the offices, when people look for ways to cope with the insufficient internal IT professionals’ activity. Services like Dropbox, Google Drive or Box tend to attract more and more users, be it during their work hours – and office tasks end up including the use of such tools.
- The tech literacy that gradually increases and characterizes almost every employee. The latest IT tools come with more user-friendly interfaces, while the age-parameters change to favor the younger generation. Soon all employees would possess a medium or high level of tech knowledge. However, what hat they do not possess in most of the cases is an equally high level of cyber-security awareness, and this leads to enterprise data ending up in unsecured systems and unreliable databases.
- Funding for the enterprise information-technology department tends to not be able to keep up with the emerging necessities. Confronted with the growing tech necessities, the employees find their own ways of fix IT problems, in order to continue their tasks.
- The prioritizing system used by the IT departments also leads to extra-official tech solutions: confronted with many projects and requests, the IT personnel select the most important ones to approach first – and this leaves out an eternally overlooked batch or problems. This motivates the “do it yourself” attitude in employees and stimulates innovation, outside the approved lines.
The cyber-risks of shadow IT
As we mentioned above, while working, employees have access to company data – they modify files, export or import information, deal with the storage of critical or sensitive digital documents.
- Data leaks may occur when employees store or backup their work in off-premises databases – the kind of virtual databases that are often targeted by cyber-attackers. Even more risk ensues when the storage is unofficial and therefore the authentication is single-factor as opposed to the multi-factor authentication an official enterprise account might establish when collaborating with a virtual storage service provider.
- Control issues when it comes to mitigate an attack or reduce the losses once a cyber-attack took place: without any previously established procedure and without a management of the transferred data, it is very complicated to determine what was compromised and how to act to minimize the losses.
- Compliance and audit risks – there are some strict rules when organizations prepare for their compliance certificates. Having no control over professional data and its whereabouts is a major flaw for the compliance certification process. This may come up when a critical unpleasant cyber-security event takes place (and move onto liability issues), or during an audit procedure – determining the compliance certification revoking.
- Integration risks affect the general organizational IT connectivity – when different persons employ different tools, integrating the virtual documents or any other type of product based on a fragmented work environment might prove very challenging. On top of this, people may change inside the department or inside the company, and a proper continuity in activity may be endangered by the independent work-style of some of the employees. The speed and integration of work processes may be depending on a predetermined approved set of apps that are used by all staff when necessary.
Recommended steps in approaching Shadow IT
To reiterate the title-question, one must first find out whether shadow IT is present inside the enterprise and which of the risks mentioned above are most likely to affect the company activities. An internal audit – even a non-formal one – might prove useful in determining the internal situation shadow IT-wise. Cloud Security Alliance found in its study that almost 72 percent of executives have no idea of the shadow IT situation in their company.
Having (and reiterating), or establishing a cyber-security policy for your business is extremely welcome in mitigating other security risks as well, but also reduces the dangers of “do-it-yourself-IT”. Employees should be trained and encouraged to develop a cyber-awareness attitude.
Acknowledging the real situation of your IT department also helps: are they under-staffed, do they need to postpone various issues, and how are these issues really overcome – these are just a few of the useful questions to which you may find surprising answers. Maybe change the way tasks are assigned or train the unofficial “fixer” to be more aware of cyber-security and of the company’s IT policy – and get the best out of two worlds.
In addition, there are automated solutions that can identify for you any security breach, shadow IT-wise: the last generation hardware and software tools can be set up to alert of any unofficial data traffic that goes on intra-office. When deciding what to allow and what to block, it is wise to choose your battles and limit only those operations that might actually endanger your data security, otherwise over-restrictions might stimulate other creative ways for your employees to deploy their usual connectivity habits at work.
Alternatively, just make the next big step and ensure a cyber-security compliant cloud service to be available for all your employees while at the office. The enterprise cloud services could in fact prove a welcome solution for more than just this particular concern of “do-it-yourself- IT”.
There are software services providers that have already acknowledged and tackled the shadow IT problem. For example, IBM offers a new Cloud Security Enforcer that aims to help businesses safeguard their data whilst employees are still able to use their own apps at work.
The roughest and most immediate action would be completely blocking those apps that are dangerous.
Why shadow IT is both a nuisance and an opportunity
We have seen why shadow IT may be a nuisance and a risk for a company.
Nevertheless, when employees come up with their own solutions to the problems that appear in the workplace, innovation and creativity show up, and prototype software solutions may be born. Looking for more efficient ways to perform their tasks, the “fixers”, the tech-savy or the amateur developers you might have among your employees may well provide ideas that prove both useful and surprising.
That is why there are voices that support the encouragement of “citizen developers” as such persons are dubbed. Balancing the security risks with the opportunities brought on by innovative ideas, some claim that shadow IT should be embraced and encouraged.
Once you have secured your enterprise IT environment, risks are diminished. The goal should be to let this phenomenon go on, in this more secured virtual space, as long as work benefits from it. Seen as a modern trend, characteristic to the modern workforce, this acquired ability of solving various IT issues should therefore not be stifled.
True as it is that shadow IT raises a challenge for any organization, interesting solutions and innovations may appear out of this practice, as well.
