IT’s reputation as “the department of no” is a tongue-in-cheek recognition of IT workers’ status as the gatekeepers of workplace technology, and their tendency to keep that gate sealed shut. But that status might soon be a thing of the past—if it isn’t already. The rise of remote work, smartphones, and cloud computing technology limit IT departments’ ability to control employee access to software, and to effectively monitor their work activities.
Hence, the corresponding growth of shadow IT in enterprise settings: shadow IT prevalence increased by 59% during COVID, and there’s no reason to expect that trend to reverse. Even if workers believe shadow IT empowers them to complete their assigned job responsibilities more effectively, it nonetheless carries significant cybersecurity risks since IT can’t protect and/or monitor assets it may not know even exist.
What is Shadow IT?
“Shadow IT” refers to any hardware, software, or digital activity not controlled and/or sanctioned by an enterprise’s central IT department. Although shadow IT isn’t necessarily malicious by nature, it does pose potential problems in the sense that unapproved and unmonitored applications may create security risks, and result in a portion of the budget wasted on duplicate/unused software licenses.
More than 80 percent of enterprise employees use shadow IT. Workers typically adopt shadow IT for understandable reasons: They might find they complete their work faster and more efficiently when using specific unapproved software platforms or their personal devices. There’s no denying the myriad benefits of Software-as-a-Service (SaaS) applications, but those benefits might not compensate for exposing the business to data breaches or malware.
Examples of shadow IT include:
- Unofficial employee Slack channels
- Usage of personal Gmail/Google Docs accounts at work
- Using personal mobile devices for work functions
- Storing company data on personal USB drives
- Obtaining access to software through back channels rather than going through the company
How to Mitigate the Risks of Shadow IT
It is possible to continue benefiting from SaaS apps while simultaneously shoring up your shadow IT control policies. Indeed, a wholly punitive attitude towards shadow IT isn’t advisable: Not only is it virtually impossible to completely restrict employee shadow IT use, doing so would also essentially be throwing out the baby with the bathwater.
It’s far more sensible to align shadow IT with the enterprise’s overall IT infrastructure and policies. Here’s a list of strategies enterprises can employ to reduce the risks of shadow IT, without sacrificing its benefits:
- Employee Education: Inform employees about the dangers of using unauthorized SaaS applications and encourage them to use approved IT tools and services. Be sure to emphasize the practical utility of your enterprise’s existing SaaS solutions—if they know your company already provides the “best-of-the-best,” they won’t feel compelled to look elsewhere for tech solutions.
- Establish a Comprehensive IT Policy: Develop a clear and concise IT policy that outlines acceptable and unacceptable workplace digital activity, including which SaaS solutions workers are allowed to use.
- Regular IT Audits: Conduct regular audits of your enterprise’s IT infrastructure to identify any unauthorized hardware or software.
- Implement Access Controls: Establish access controls limiting the use of unauthorized hardware or software and preventing employees from accessing sensitive information with unapproved applications or devices.
- Cloud-Based Solutions: Implement cloud-based technology enabling employees to collaborate and share information securely, thereby eliminating the need for equivalent shadow IT apps.
- Provide Appealing Alternatives: Your employees are much less likely to use shadow IT solutions if they have access to approved alternatives that give the same or better results. Ensure your enterprise’s SaaS apps allow workers to accomplish their assigned tasks effectively and efficiently.
- Monitoring: Monitor company network traffic to identify any unauthorized use of hardware or software and take the necessary steps to restrict those activities.
Shadow IT streamlines operations, empowers employees to use the best available tools, and supports an agile work approach. That said, unauthorized use of shadow IT may pose significant risks to an organization's data security, regulatory compliance, and operational integrity. Therefore, it is essential for companies to establish centralized control of any shadow IT solutions.
About the Author
Ray Steen is the Chief Financial Officer & Chief Strategy Officer for MainSpring and has been with the firm since 2014. With over 25 years of experience in strategy, consulting and communications, his expertise arms clients with the strategies, tools and resources to meet their mission. Ray is a proud dad and coach of 5 kids, a fantasy sports nut and bleeds for the Chicago Bears and Boston Celtics.