June 23, 2020 by Siobhan Climer and Mishaal Khan
Shadow IT is something that all IT Directors are familiar with, even if they don’t use the official name for it. While it might sound grandiose or foreboding, discerning what is shadow IT takes a bit more of a nuanced understanding. Shadow IT is when other departments or individuals in a business implement technology solutions without the oversight or approval of the official IT department.
It’s simply IT that happens in the shadows.
Now, it bears mentioning that this is often done with the best of intentions. Business units simply want to do their jobs more efficiently, so they find a solution that — in their minds — works. Many fail to realize the ramifications this can have.
What Is Shadow IT? Definition And Examples
Also known as stealth IT, fake IT, or – our personal favorite – feral IT, shadow IT is the use of IT-related hardware or software without the knowledge of the central IT department. It comes in many forms:
A teacher using an unauthorized EdTech platform to support student reading initiatives;- A department creating and using an unauthorized Slack channel to share messages and data;
- A team using Google Docs (or another file sharing tool) to make quick copy edits; and
- An employee using Facebook credentials to log into a third-party app via their corporate cloud account.
A teacher using an unauthorized EdTech platform to support student reading initiatives;Shadow IT happens at organizations of every size and is an enormous security risk. Yet it also has some benefits; so many, in fact, that some IT leaders welcome the challenge to their institutional management.
“As the number of workplace technologies increases, IT teams must create more agile organizations that embrace modern security protocols — from high-security password-less systems access to hands-free authentication — while preserving employee innovation and collaboration,” says Anudeep Parhar, CIO Entrust Datacard in the release of a new report on the premise of shadow IT.
What Are The Benefits Of Shadow IT?
According to the latest Entrust Datacard report, 77% of IT professionals believe that shadow IT can facilitate innovative solutions, which are needed by organizations to to remain competitive. How does shadow IT drive innovation?
It’s simple. Employees are eager to improve their efficiency, and they understand how solutions like file sharing and mobile devices can drive these efficiencies. Users know their jobs better than IT; they must. And so they identify inexpensive solutions.
In addition, IT has to remember:
- Employees like using their preferred tools.
- Employees are more efficient in finding solutions and meeting objectives when using these tools.
- Employees want to be trusted to make decisions around how technology facilitates their jobs.
- Employees will find a solution that works for them – whether IT likes it or not.
While shadow IT can have enormous benefits, there are significant risks that must be understood, mitigated, and communicated to employees in order to achieve the desired results shadow IT can create.
What Are The Consequences of Going Rogue?
- Security Risks: This is the big one. Other departments in a company may not understand how a piece of software or hardware can open up the organization to risk. Even if they did, they lack the skills to verify how secure the solution may be. The application may be risky in ways a non-IT professional may not expect; for example: Google Docs. While the cloud storage of Google Docs itself is secure, it is extremely easy for an employee to share critical data or documents with non-qualified personnel or even with competitors.
- Incompatibility: Despite what some managers way think, no department operates in isolation. Everyone’s job role is connected in one manner or another. That being said, the work that one department performs will inevitably be used by another at some point. If every department is using a different application for similar functions, there are sure to be issues.
- Diminished ROI: Everything the IT Department installs, maintains, or updates has a calculated use and expected added value to the company. By not using the tools that IT has invested in, it is harder to calculate the tool’s benefits. That big, expensive, and powerful application designed to solve all your problems turns into an underused waste of money. Perhaps it is a waste of money, but the organization can’t solve for what they don’t know.
What Is An IT Department To Do About Shadow IT?
In the end, shadow IT is about balance: balancing security with usability, expertise with innovation, and theory with practicality. Shadow IT isn’t going away; instead, it is become more widely used as employees are tech-savvy enough to be dangerous and new easy-to-download cloud-based applications and tools drop into side-bar and social media ads faster than you can say, “back in my day, we had to fill out a requisite form for that!”
The solution is a little bit tech and a little bit human.
The human piece: It’s about empowering employees and communicating to them the risks of unauthorized apps. The teacher in our earlier example does not want his students’ data on the darkweb; the marketing department does not want client data leaked in a collaboration platform data breach. These are simply employees trying to find solutions for their everyday problems.
IT has to help them solve those problems, which means IT needs to be aware problems exist. That means regular (i.e. weekly) communications and collaboration. It means taking criticism. It means listening. This is a big shift from the days when IT had complete control over the organization’s technology. It is also a big shift in the skills needed by IT leadership.
The tech piece: Consider CASBs that extend the reach of security policies beyond the organization’s defined perimeter. Find security solutions that increase network visibility and help identify noteworthy behaviors. And for goodness sake, identify critical data systems and manage access credentials and user privileges so that users can’t put the organizations at significant risk.
Like what you read?
Contact us to learn more about what is shadow IT and what we can do to solve it.
Originally published December 27, 2015, this post has been updated to account for changes in the definition and magnitude of shadow IT.
About Mindsight
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About The Authors
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.
Siobhan Climer writes about technology trends in education, healthcare, and business. With over a decade of experience communicating complex concepts around everything from cybersecurity to neuroscience, Siobhan is an expert at breaking down technical and scientific principles so that everyone takes away valuable insights. When she’s not writing tech, she’s reading and writing fantasy, hiking, and exploring the world with her twin daughters. Find her on twitter @techtalksio.
