Shadow IT is becoming a reality in the vast majority of companies, regardless of their size. Faced with this multifaceted phenomenon, the IT department must ensure an acceptable balance between managing the potential risks and possible benefits of this underground IT. Shadow IT: what threats, what benefits, what controls?
The notion of Shadow IT refers to the idea of an
unofficial IT
in the company. It covers all software, applications, tools or hardware used on a daily basis within a company to facilitate collaboration, software development, content sharing, storage or data manipulation for example, which have not been tested, examined, approved, implemented or secured by the IT department, in accordance with internal procedures.
What is Shadow IT?
If Shadow IT exposes the company to potential risks, it can also generate disruption and innovation. And fill in the gaps. According to Microsoft – which is taking a close interest in the phenomenon – Over 80% of employees admit to using unapproved SaaS applications for business purposes. It is no longer an isolated phenomenon, but a norm.
Shadow IT is not an isolated phenomenon: it has become the norm.
In its white paper “
Shadow IT Primer
“The ISACA association, which brings together IT decision-makers from around the world, analyzes the scope of a company’s shadow IT. It identifies the tools that users need but that the IT department is not able to provide. Most of the time, they are cloud-based and require little investment and skills, as their implementation does not require the intervention of IT teams.
Some illustrations of what Shadow IT includes
– Collaboration tools for meetings or teams,
– Task management tools,
– Specialized databases,
– Brand tracking software,
– Financial analysis software,
– Solutions for document transfer or data exchange.
A dangerous slide
But every application from this
underground IT
generates data on which the ISD has no follow-up or control. Uncontrolled exposure of this data therefore creates potential risks for the organization, as malicious hackers may target these insecure accesses first.
While intuitively one might think that Shadow IT represents a minor problem with a limited scope, statistics show otherwise. Research from NTT Communications (“Shadow IT- Cloud Usage a Growing Challenge for CIOs,“) indicates that the phenomenon even permeates the management of the company. According to the study, 77% of decision-makers in the company admit to having used at least one cloud application without receiving validation from IT or even without informing them.
How does Shadow IT start in the enterprise?
The vast majority of employees who use Shadow IT do not do so with the intention of harming the company. By choosing tools adapted to their real needs – which they often solve with their own means before reimbursement – these employees feel they are bringing innovation to the company. This sense of doing the right thing is key to understanding the strong growth of Shadow IT in organizations.
Another gas pedal is the decline in IT costs: a few years ago, the price of hardware and software made it out of reach for an employee. Companies could easily control the sourcing of IT supplies through their purchasing departments.
Today, the cost of access to technology has opened a royal road to Shadow IT.
But cost isn’t the only reason more and more employees are moving away from traditional IT purchasing processes. In a business environment where speed and reactivity reign supreme, employees demand immediate solutions when problems arise. However, the decision-making processes of CIOs are seen as a hindrance to innovation and agility.
Resources that fly under the radar
However, by bypassing procurement structures, shadow IT practitioners bypass not only the processes, but also the tool evaluation and control implementation phases. These steps, which are mastered by IT departments and considered too slow by the business, are aimed at protecting information systems from real external threats.
The example of new generation printers connected to the Internet The example of new generation printers connected to the Internet and which record data on an internal hard disk illustrates the dangers of an insignificant IT purchase, often misjudged by the teams.
Some Shadow IT enthusiasts are sometimes aware of the dangers of their isolated purchases. But they generally believe that publicly known applications are necessarily harmless. Often these employees also believe that the security controls put in place by IT will protect all IT devices after the fact. This is to forget that companies – even with the best security specialists – can hardly protect what they don’t control.
Shadow IT, threat or opportunity?
Given the inherent risks of Shadow IT, should companies focus on eradicating it and establishing draconian measures to prohibit the use of uncertified applications or software? Not always.
Shadow IT is initiated by employees who identify a new need or an opportunity to improve a process or task for the organization. They help bring fresh ideas to improve the way we collaborate and move the business forward. Their vision is oriented towards a continuous and creative search for concrete solutions. Taking too drastic measures against shadow IT can therefore break the innovation dynamic in the company, instead of encouraging it.
Many companies believe that the subject deserves special attention, with responses adapted to each case. This means first understanding the reasons for moving towards “unconventional” solutions before deciding to prohibit them if – and only if – it is demonstrated that they can generate harm to the company.
By taking a nuanced look at Shadow IT, the IT department can discern potential areas for improvement. This approach preserves an innovative intent and engages the IT department to quickly provide a secure alternative.
More and more CIOs are trying to take advantage of the reality of Shadow IT, as some relevant innovations can emerge from this underground IT.
The most innovative companies even accept that Shadow IT applications come out of the shadows and become established in the long term after the risk of harm has been deemed sufficiently low. For the latter, the gradual adoption by employees is considered a simple pilot phase.
Threats and inefficiencies related to Shadow IT.
The threats related to Shadow IT practices are numerous and should not be underestimated.
Some common threats:
Compliance with regulations
The use of some shadow IT software may involve regulatory compliance issues, including privacy policy. A routine approval process detects these non-conformities. A report published by Symantec (“Shadow Data Report”) states that 23% of the documents in the cloud are not protected and 12% of them contain confidential data, such as source code or legal information. The licensing aspect of software can pose legal risks as well. It is when the request for license renewal reaches the financial department that the company discovers that the software in question is part of the Shadow IT.
Security
When they penetrate through Shadow IT, security breaches can represent a high level of risk to the enterprise. Some software provide privileged access to hackers to loot or destroy data, or introduce ransomware malware into the system. Some cloud services – file sharing, social networks… – are not sufficiently secure spaces for data protection.
Loss of income
The use of Shadow IT, as we have seen previously, is often the result of an individual or a business unit taking advantage of an opportunity and saving time on a usual process. That’s why in some cases, a software or an application from the Shadow IT really allows the company to generate revenues. If the IT department requires the removal of this solution without offering an alternative software, this may result in a net loss of revenue.
Third parties
No matter how hard a company may work on security or privacy policies, it never acts in isolation. Collaborations with less rigorous third parties, on topics such as marketing support or analytics for example, can ruin the efforts made. Once a third party has access to its own network, the possibility of a data breach or leak exists.
Poorly adapted Shadow IT management policies.
Some companies do not have Shadow IT management policies in place. Others identify the risks associated with Shadow IT and create rules to protect themselves, but fail to enforce them. When it exists, the “governance” of Shadow IT must be simple, the rules well written and communicated to all employees. The company must also be clear on the obligation to read these rules and to integrate the choices made by the company for the management of IT on a daily basis.
Reputation damage
In some industries, providing inaccurate information may be considered a violation with a risk of fine. Thus, in the case of Shadow IT software that compiles product information for company websites without strict control, the consequences in terms of image can be significant.
By nature, Shadow IT is not a real solution, but rather a technical shortcut to an often imperfect solution. Such configurations are often wasteful, and ultimately generate low levels of efficiency. The related technical debts will have to be settled sooner or later involving oversized efforts to make up for the mistakes. The negative impacts on the activity can thus be felt in a very concrete way and go far beyond the initial scope of its application (a business unit for example).
Duplication
By definition, Shadow IT often introduces duplication of software or data already existing elsewhere in the company. The result is again a waste of time, money and especially potential data conflicts.
In view of the multiple and real risks linked to the amplification of Shadow IT, placing all IT systems under the strict control of a solid and clearly stated governance is in the strategic interest of every company.
To be successful in managing shadow IT, companies need to find a balance. While removing technologies that pose a potential threat is critical to ensuring business protection, at the same time, companies must continue to explore new tools, and new technologies. Each company can adjust this balance through the drafting of the IT governance best suited to their business on the one hand, and through efforts to educate employees on these topics on the other.
In the end, only the individual and collective commitment of users will allow the vision of a responsible Shadow IT management. Regular exchanges between the IT department and the business are also part of the answer for a peaceful Shadow IT.
Find the complete Isaca Shadow IT Primer study.