In a nutshell, 'Shadow IT' describes technology solutions used within companies which have not been vetted or authorised according to approved procurement channels and procedures.
It may sound ominous, but the reality is that if we each take a good look at ourselves it's quite likely that we are all doing it too.
Examples of such practices include the use of devices connected to the corporate network (mobile phones, tablets, USB drive) with the capacity to use/copy data, the installation of software applications such as Dropbox or other free cloud storage. It can also include the use of Software As a Service and even social media sites that can import an entire contact database. Installing a free app on a smartphone that has access to corporate emails and contact databases would fall in that category.
All of these are widely available to all of us: whether free or with the use of a credit card for a small fee of $30.99 per month – voila.
Why does it exist?
The practice isn't necessarily out of malice and in fact started with employees and business divisions' desire to use certain hardware or software to address a problem rapidly without having to deal with the red tape. However with the increasing availability and affordability of technology and cloud-based solutions, the phenomenon has snowballed to significant proportions.
While it would be easy to assume business users are the most likely culprits, a study done for McAfee by Stratecast in 2013 reported that IT staff were just as guilty.
Irrespective of the intentions, the risks are not trivial. There are the obvious ones such as corporate data being at risk of being stolen or accessed by unauthorised sources, viruses and phishing software sneaking their way into the corporate network.
There could also be a lack of data backup, especially with cloud-based applications. It's quite likely that the buyer didn't check how/when and where backups were conducted, what Service Levels Agreements are applied or if there is an Escrow in place.
What would happen if that provider was to be attacked by a DDoS (distributed denial of service), what would be the consequences to the business, to the customers? What would happen if the provider was to go out of business altogether?
There could be risk associated with customers' information being uploaded into a cloud-based application for marketing purposes, potentially putting at risk that data. This could not only happen if there was a breach of security but also if the "Chinese walls" between customer records were weak.
There also are less obvious risks, such as an unplanned increased use of the corporate bandwidth impacting speed and ultimately, staff productivity. Time can also be wasted through inconsistencies in the way data is manipulated, especially if not all parties concerned have access to that "shadow application" they might have to re-work things.
Equally, there is the risk of wasting funds, if there is duplication or overlapping of different applications.
Ultimately, it can also lead to a bigger burden that could potentially reduce or delay the enhancements the IT department is bringing in by adding silos of data and layers of complication that were unknown and unplanned for.
How to deal with it
Shadow IT is coming into the limelight for all of the above reasons. There is a slow but gradual admission of guilt across the board and recognition that it is a phenomenon that cannot be stopped.
Given the risks (as well as the benefits), could it be time to open the hailing frequencies and start the dialogue between IT and the users?
Some steps could include:
- Educating everyone about the risk and exposure especially those related to data privacy and compliance and what the consequences for the organisation and customers could be.
- Equipping people with what they need to look for and do as part of their due diligence before downloading that free app or subscribing to that online service. Some of it might be common sense but other aspect less obvious, yet everyone needs to have internet hygiene. This should be part of the BYOD and SaaS policy, but such policies needs to be clear and simple enough for everyone to understand, remember and apply.
- Do a stock-take of those "shadow" pieces of hardware and software and put a seal of approval on the acceptable ones rather than ban them altogether but with whatever caveats and security that are needed.
- Finally, create an environment of trust and collaboration to avoid alienating people or creating fear as that is more likely to lead to further delinquent and secretive behaviour. Set up a "helpdesk" or go-to person for advice and recommendations for people to come to without fear of reprimand or push back.
Common sense needs to prevail, practicalities and benefits needs to be weighed against risk, but ultimately, it is trust and collaboration that are needed.
The elephant is in the room, and it isn't leaving.