An imposing figure lurks in the shadows. You call out but receive no response. Whoever – or whatever – is out there continues to linger just outside your field of vision, posing a constant threat without giving you any answers about what awaits. No, this is not the plot of a horror movie— it’s a metaphor for how IT departments feel about shadow IT.
Most IT professionals and business leaders at large enterprises can tell you horror stories about shadow IT. It exposes the business to security risks, leads to excessive spending, and takes IT decisions out of the hands of those who are most qualified to make them. The convenience of modern technology makes it easy for any employee to initialize new solutions, which makes it more challenging (and more important) for businesses to uncover and control shadow IT. To stay out of harm’s way, organizations must pull shadow applications out into the light.
Specific Examples
The term shadow IT encompasses any technology system, software, service, or device managed by a department other than IT. The IT department does not manage these products and services and may not even know about them. This shadow IT definition is broad enough to capture the use of any technology that does not go through the proper channels and is not overseen by the IT department. So what does it look like in practice?
The following examples are more specific:
- File-sharing systems like Google Drive, DropBox, and Onehub appeal to employees who want to create, access, and share files remotely, so they start using their own private accounts for these applications for work purposes.
- Physical devices like flash drives, external hard drives, and personal cell phones come into contact with data or systems from work, and are then used elsewhere.
- Employees communicate with each other via personal email accounts or communication apps such as Slack, Skype, or WhatsApp.
- Productivity apps like Trello, Asana, JIRA, or Airtable find their way into the hands of staff members who want to stay organized and on task.
None of these tools is terrible in and of itself. It is when employees use apps, accounts, or devices not provided by or authorized by IT that “shadow IT” is born.
And it is pretty standard in today’s work environments, whether in the office or at home. Indeed, it is not especially difficult to imagine how personal devices might join the fray as employees work remotely. People may use a personal cell phone to check work email, access work systems from a personal iPad while relaxing on the couch, or sign in through a personal laptop if they have an idea at night.
Outside of these cases where employees use their own devices, email, or messaging accounts, almost all shadow IT comprises third-party SaaS applications that the IT department does not manage, authorize, or even know about. Half of all tech spending is on shadow IT, and average enterprises use approximately 300 unique SaaS apps (that they know about).
One of the reasons for the popularity of SaaS is that it is effortless to sign up and get started. Employees might not think about the risks of signing up for new applications outside of the IT department’s purview. They might prefer it.
Why Do Employees Use Shadow IT?
As frustrating as it may be for IT leaders when employees bring shadow IT on board (so to speak), there are understandable if flawed reasons to do so. An average employee probably would not think, “I should sign up for this application to increase my employer’s risk of a data breach and create compliance problems.” Instead, the thought process is likely more along the lines of, “if I can share these files via Google Drive, I can become more efficient and complete my work more quickly.”
Considering the list of shadow IT examples above. It is easy to understand why employees might do what they do. They find technology offerings that can make them better at their jobs, so they use the best tools they can get their hands on. Given that employees turn to shadow IT to increase productivity, some leaders might wonder if it is worth fighting the trend.
Is Shadow IT All Bad?
In most cases, the technology itself is not bad, just the way people use it. Take the list of everyday shadow IT examples above, for example – not a single one of these systems, products and devices is a threat in and of itself. The risk of shadow IT occurs because the assets can not be effectively managed by the IT department, which causes a few different kinds of problems, including the following:
- IT loses visibility into which applications are used and how they are used. This makes it difficult to develop and execute a comprehensive cybersecurity strategy that accounts for everything.
- Shadow applications may increase the risk of data leaks or take the organization out of regulatory compliance. For example, unauthorized use of Google Drive could make it easy for an employee to share personal data or other privileged information publicly.
- Duplicate spending becomes an issue. When the marketing team and sales team purchase their own Mailchimp licenses, there is a missed opportunity to reduce costs by putting everyone on the same plan.
- Individual users agree to click through agreements instead of negotiating an enterprise contract. The enterprise may have enough pull to get better SaaS renewal terms. For example, an enterprise might be able to negotiate with Salesforce to avoid forced price increases upon renewal.
- Individuals might not choose the best plan. A free or Pro Slack account, for example, might not be compliant with strict regulatory standards like HIPAA and SOC 2 Type II.
Upon discovering the use of shadow IT, it helps to understand why employees started using it in the first place. Then IT can find a better way to get people the tools they need without blowing the budget or making the company vulnerable. When employees know the IT team will help them get what they want (and quickly), there is less incentive to sign up for solutions independently.
How to Get a Handle on Shadow IT
Whether shadow IT is eliminated or brought into IT’s control, holistic discovery is the first step. Identifying shadow IT is an ongoing process, but that does not mean it has to become the type of burden that makes you dread going to work. Reach out to learn how the Quolum SaaS Card makes it easy to find and tame shadow IT.