Click to learn more about author Michael Morrison.
The world irrevocably changed in March 2020. For years, pundits and technology leaders said that remote work was the future. Businesses were hesitant to lean into the model because of their unfounded fear that — despite mountains of evidence to the contrary — employees couldn’t maintain productivity levels if they worked from home. This draconian mindset has been disproven during the global pandemic as businesses that could operate online thrived despite a sudden and disruptive change to their workplace. However, with employees using personal networks and devices, a new threat has crept silently onto organizations’ radars: shadow IT.
Sometimes referred to as rogue or stealth IT, shadow IT refers to applications that employees set up and use without IT permission — and usually without IT knowledge. When it comes to end-user devices, IT pros can only secure those machines they know about, and the suddenly remote workforce makes it harder than ever to keep up. While it might not seem like a big deal if an employee uses Zoom or Google Hangouts instead of Microsoft Teams, each of these apps have their own licensing, pricing, data access, and security issues. IT staff simply cannot operate blindly if they’re going to secure a company’s remote workforce.
“From a security point of view, it’s a nightmare scenario,” says Larry Ponemon, founder of the Ponemon Institute, a technology research firm. “People at the business level may not have any knowledge at all about security, and they may be using these tools in ways that put the organization at great risk.” One Forbes Insights study (Perception Gaps in Cyber Resilience: Where Are Your Blind Spots?) found that 1 in 5 organizations suffered a cyberattack due to shadow IT.
Shadow IT introduces several major issues for enterprises, including:
- Data Security Problems: If sensitive data is stored outside of an organization’s cloud or IT environment, it could be stolen or accessed by former employees.
- Regulatory and Compliance Disasters: Many apps don’t fulfill privacy requirements from SOX, GLBA, HIPAA, and GDPR because data and data access are not secured. Storing data in unknown and potentially unvetted places may result in violations during an audit, which could result in a range of damaging regulatory consequences, including severe penalties.
- License Compliance Violations: Freemium or shared accounts can jeopardize businesses’ approved SaaS contracts and open the organizations to penalties or even legal action.
- Redundancies: End-users often pay for applications already served by corporate standard SaaS solutions, wasting money through vast redundancies. Shadow IT gets in the way of good IT software negotiations and proper, efficient provisioning.
- Misallocated Costs: Finance and accounting need accuracy — knowing what software is acquired, billed for, and renewed — to optimize investment.
- Missed Financial Goals or Targets: If procurement misses savings goals due to unforeseen expenses from shadow IT, it may lead to unintended cost-cutting measures.
Software, especially SaaS solutions, are only safe if they are brought in and managed by IT. Many companies attempt to solve the problem by blocking access to cloud services that do not meet their acceptable use policy. This isn’t a fool-proof tactic as departments can push for an exception based on their employees’ needs or cloud services — particularly those operated by cybercriminals — introducing new URLs that are not blocked.
To fight shadow IT, businesses must think about the digital experience they are providing their employees. IT and security teams must not only train workers on how to use new productivity tools but also educate them on the value it delivers to them personally. Will this new app eliminate steps from a tedious process? Will it help them complete more tasks? Are there apps within the same category that might be better? SaaS apps aren’t deployed in a vacuum, so it’s important that employees feel like they aren’t having unnecessary processes or tools foisted upon them. Businesses need to work with their people to choose the best solutions for not only their employees but the organization as well.
Visibility is critical in preventing shadow IT as well. Businesses must understand all of the SaaS applications that are connected to their IT environment so they can properly manage and secure critical information. Visibility is also key in determining whether an implementation is a success or failure. If employees are quickly adopting and using a new productivity app, it’s time to celebrate. If no one is using it and there’s an influx of help desk tickets, it’s time to re-evaluate both the rollout strategy and the solution itself.
At its heart, shadow IT is most often caused by a lack of communication or an inefficient business process. Most employees aren’t downloading apps for nefarious reasons; they’re trying to get their work done. Enterprises can position themselves for success simply by creating effective two-way communications that empower people to discuss gaps in their digital workplace.