Oct
22

What is Shadow IT?

What is Shadow IT?

October 22
By

Shadow IT is one of the more exciting buzzwords to come around in recent years. Sounds somewhat scary, but what does it really entail? Well, in a nutshell, shadow IT refers to using devices, apps, and other resources without the control or approval of senior management.

Mobility and business telecommunication technology concept: macro view of modern mobile devices with touchscreen interface - office laptop or notebook, tablet computer PC and black glossy smartphone or mobile phone

Sounds simple enough, but we’ll delve a bit deeper with an example:

Let’s say a support agent asks his or her CIO for a new tool that helps field customer inquiries more efficiently. They explain that this solution will not only make their job easier but save time and ultimately improve business performance in the long run. Unfortunately, company policies, politics, and budget make executing this strategy in a timely fashion a challenge. Destined to come up with an answer, the agent does some digging and takes it upon themselves to procure an affordable tool that looks the part.

From here, our scenarios takes one of two turns:

  1. The solution delivers in a way that improves or at least keeps support performance stable.
  2. The solution fails to deliver entirely and makes matters worse instead. As a result, the company has to deal with a major headache due to its sudden dependence on an application that was never approved in the first place.

Shadow IT is more common than you might assume. A survey of Cisco customers found that on average, shadow IT accounted for more than the 98 percent of the cloud services used by over 1200 large enterprises. Further, Gartner predicts that by 2020, roughly one-third of successful cybersecurity attacks will be executed through shadow IT resources.

Keep in mind that shadow IT isn’t necessarily a bad thing. However, if these resources are considered mission-critical, they should be incorporated into the company’s documented IT inventory to ensure compliance and long-term efficiency. If you find out shadow IT has a presence in your organization, and it probably does, you have to learn to manage it. Here are some pointers:

Implement a Vetting System

traffic sign reading "risks ahead"

With such a wide variety of tools available in the form of mobile, cloud, and desktop apps, the temptation to ignore standards for the good of the company is incredibly high. Vetting is a simple, but effective way to ensure that IT is utilizing tools and solutions the organization can get behind. The process can be as simple as making sure applications are obtained from a reputable source and provide a reasonable degree of security. From there, all vetted resources can be hardened from within to deliver maximum protection.

Highlight the Risks of Shadow IT

Shadow IT is on the rise, yet many employees do not recognize the threat it presents to privacy and security. A free help desk app could contain a malicious payload that causes an employee to install ransomware on their device unknowingly. From a single point of entry, that infection can spread to multiple devices and compromise data across the company network. When employees understand the risks of shadow IT, they’ll better understand why vetted resources are easier and cheaper to manage should things go awry.

Enforce Access Controls

Data warping into safe box - 3D Rendering

Another way to minimize the negative impact of shadow IT is to enforce restrictions on select third-party applications. For instance, mobile devices can be configured to only allow downloads from app stores approved by management. Likewise, there are whitelisting tools that help protect the network by maintaining an index of supported applications. A more strict approach to access control can reduce the use of shadow IT and prevent the spread of malware in the process.

Plan for the Worst

Despite all an organization’s efforts, there’s a chance that employees will find a way to use unsanctioned applications. The risks of shadow IT can be significantly reduced by ramping up efforts in the security department. Security solutions that can monitor, detect and prevent attacks before they strike are always recommended for protecting the network from malicious applications. On a similar note, a disaster recovery plan can help recover any data compromised by unapproved resources. If you can’t stop it, you can at least prepare to neutralize whatever potential dangers shadow IT has in store.

The digital age has provided more than enough tools to bolster productivity without jeopardizing security and sensitive data. Communication is the key. The freedom to openly discuss resource needs and concerns can help an organization continually achieve its goals from IT to customer service and beyond.