What Is Shadow IT?
You may be part of Shadow IT without even knowing it. Shadow IT is when an individual or department uses IT hardware or software that is not approved by the IT or the security department. A simple example of what may be considered using Shadow IT is the use of Evernote. Evernote is a simple note-taking app but when used without permission of the IT or security team, it could cause infractions of the security protocol your company has in place.
Why Does Shadow IT Occur?
Shadow IT is not always a purposeful act. Employees are trying to work more efficiently and smarter rather than harder. Due to the increased landscape of endless SaaS products, many employees are finding ways to be more productive and collaborative through SaaS. Some areas, however, may be willing to ask for forgiveness rather than permission when it comes to new IT technology and platforms for the business side. (*cough cough* marketers…) I know as a marketer I’ve heard many within my network share stories of where they purposely asked for forgiveness rather than permission. As an organization, it may be important to understand why marketing and other business departments may feel the need to do this. Does there need to be a quicker and more efficient way for IT to approve a new technology? Either way, I’m not condoning asking for forgiveness but I think it is crucial for your organization to understand why it may be the path taken more often.
Implications and Benefits of Shadow IT
Shadow IT may sound a bit scary - and it can be in some cases. But most cases are mild in form and do not end up causing much harm to the company. None-the-less the security team should be aware of all applications, platforms, and services being used by all employees. One of the implications that can be caused by Shadow IT is the risk of security to your organization. If your IT or security team does not know what applications are being used, there may be holes within the software. Hackers could find a way to access some very confidential information. Some larger companies’ IT teams have even had to take an uncomfortable decision to block some of these platforms from being accessed through a corporate computer.
Though Shadow IT should not be the end goal, there are some benefits of Shadow IT. First and foremost, your team is taking it into their own hands to create a more productive and efficient work environment along with decreasing burdens for the IT team. The ability to find SaaS platforms that help resolve issues versus having an internal IT team create a product could shed months off of timelines. Along with that, being able to be agile and move quickly makes your business more competitive. But there has to be a balance of being productive and efficient with following compliance and security protocols.
There are a few first steps you can take to start to understand where Shadow IT is happening and how your organization can better understand the platforms, software, and hardware being used.
First, has your IT team done an inventory of what all technology is currently being used? It’s important to take inventory of what employees are using. Next, when you notice a pattern of a specific unauthorized technology - dive deeper. Make sure to ask why it is being used, have your IT or security team figure out what security complications (if any) this technology may cause, and figure out if it can become an approved technology. For example, one of the companies I worked for wanted to take inventory of all the applications downloaded on our computers. And one that came up across the company that was not approved was Spotify. Yes, the majority of the office was using Spotify but it was not on our approved application list. So our security team made sure it was a safe application to use and was able to get it approved as a company application. (It doesn’t always have to be pulling teeth. Some of it CAN be quite simple!)
When Shadow IT shows up in your organization (and it will) make sure to understand how the technology is being used and if it can actually become an approved application. If it cannot be approved because of security concerns - transparency is important. Make sure your employees understand why the platform or software is going to be blocked or off-limits and give them time to move their work. It’s easier to follow the protocols when you can understand the why behind the decision.