Shadow IT Explained: Risks & Opportunities

Shadow IT Featured Image

Cloud technology makes it easier than ever to bypass IT procurement protocols and access solutions needed to satisfy the requirements of your job. IT controls and strict governance practices are usually designed to ensure the organization’s safety, but they are not always aimed at meeting the needs of the  employees that work within these guardrails. This has resulted in shadow IT — the practice of bypassing IT constraints in order to access necessary cloud software services for a functional department.  

A recent survey of CIOs by Symantec found that they were wildly underestimated how many apps were running on their networks. The gatekeepers of the IT pipelines assumed there were no more than 40-50 apps running on their corporate networks, when in actuality, the number was over 900.

What is Shadow IT and How Do You Manage It?

Shadow IT refers to utilizing IT-related software or devices by departments or individuals without corporate IT and security sanctioning its use.  As cloud software solutions came on the scene years ago it has been a growing challenge for IT departments in businesses of all sizes. Shadow technology grew rapidly through consumerization. User comfort has grown as individuals download and use applications in the cloud to help with work tasks. Cloud access security brokers provide visibility of software-as-a-service (SaaS) applications.

Each application connected to the internet with any device or hardware is dangerous and can increase your risk profile. IT organizations must know who uses these applications so they can enforce compliance between across users, applications and devices in their networks. When an employee uses a personal device or downloads a program onto a corporate device it has become more of a problem. To achieve a secure posture, an organization needs to understand how shadow technology works and how to manage the risks and opportunities.

Embracing the Shadow

Shadowing is inevitable. Employees use shadow IT practices to make completing their job duties easier and more flexible. Gartner reports an average of 30-40% of business purchases involve shadow IT expenditures. Agile organizations with rapid software development cycles and rapid software development will have the most trouble embracing shadow IT opportunities. Specifically in agile/DevOps-focused enterprises, the need for new technology can arise without much warning to IT departments for identification, verification, and approval of the product.

When the majority of an organization uses shadow apps, this can beneficial to the entire enterprise. Some shadow technologies help maintain security redundancy, availability, compliance, and security of an organization. They’re also useful for moving your IT infrastructure from a prohibitive environment to a more flexible one.

These are all apps that if brought under the umbrella of the corporate IT structure could benefit the entire enterprise while also minimizing the risks that come with employees running the apps on the sly.

Shadow IT Cybersecurity Risks

Every organization has certain kinds of personal data which must be protected. Information is protected when employees can’t access it. A company cannot detect customer personal data if it does not know where their records are. Data loss is also an important aspect of the situation. Often an employee leaves a business and uses shadow technology for business operations. These apps or credentials might never have been found by your company’s IT department.

Organizations can use shadow technology to create safe and useful tools for disruptive innovation. You must create and execute strategic plans to reach employees, the IT department, and the business. Supporting new technologies can help organizations deliver new product offerings to the markets faster and easier by providing easier to use tools.

Here are some core steps to consider when evaluating any shadow IT risk mitigation plan:

  • Which shadow IT apps are the most popular and what are the employee usage statistics?
  • What is the risk level of each shadow IT application or service? Which services store sensitive or confidential data? Collaboration, file sharing, and data storage apps are more likely to be high-risk apps.
  • How effective are the cloud security, privacy, and compliance procedures for enforcing acceptable cloud use policies?
  • Which business partners’ cloud services are employees accessing, and at what risk?
  • Are there redundant services in use that are introducing additional cost and risk or inhibiting productivity?