Shadow IT: Identifying, Evaluating, Managing

Shadow IT has been around for a while. Chief Information Security Officers (CISOs), IT managers, and really anyone who has oversight of any organization’s tech has been dealing with it for a long time—and despite everyone’s best efforts, it isn’t going away.

In fact, it’s becoming more prevalent than ever. IT administrators expect their organization to use around 30-40 cloud applications. In fact, the average is over 1,000 separate apps being used by employees across a business.

Shadow IT is happening in your organization, and you (probably) won’t be able to stop all of it. However, you can still protect your business and improve the relationship between your IT department and the rest of your organization.

What Is Shadow IT?

Shadow IT is using technology resources by a department or individual without formal IT department approval. It often takes the form of cloud-based services that are easy to use and implement but can pose (often significant) security risks.

Shadow IT encompasses a broad range of technology, from unauthorized software and applications to personal devices being used for work purposes.

Why Do Employees Turn to Shadow IT?

Humans are really good at finding the easiest and most efficient way to do tasks. So when we find a way to accomplish a goal that is easier than another process, chances are we’re taking the path of least resistance.

That’s why shadow IT is so common.

Employees desire ease of use, agility, and productivity without the limitations of waiting for IT approval.

Cloud-based services and applications can be accessed without going through the IT department, enabling employees to find solutions quickly. Sometimes, the official solution from IT doesn’t meet the needs of certain departments or is perceived as too slow or cumbersome.

Shadow IT Examples

Types of shadow IT can be classified into two main categories: software and hardware.

Software

Software shadow IT usually encompasses a wide range of unauthorized applications that could include:

• Productivity apps: Trello, Asana, Slack, ClickUp.
• Cloud Storage, file-sharing, and document-editing apps: Dropbox, Google Docs, Microsoft OneDrive, Grammarly.
• Communication and messaging apps: Skype, WhatsApp, Zoom, Signal, Telegram, and personal email accounts.
• Unauthorized use of approved apps: Using a personal account to access Google Drive.

Hardware

This includes any unauthorized device used for work purposes, such as personal laptops, tablets, smartphones, USB drives, and external drives.

Bring Your Own Device (BYOD) has become a popular option for organizations across the globe, enhancing flexibility and employee satisfaction. It is an issue that has grown significantly since the pandemic, increasing by 59% since the start of Covid-19. 

The mingling of personal and corporate data on these devices increases the chances of data breaches. IT has little to no control over the data transferred and stored on these devices.

Advantages of Shadow IT

Shadow IT provides some great benefits. You’d be hard-pressed to find an employer upset that their employees took the initiative to enhance their workflow and productivity. And despite the risks, shadow IT often leads to:

• Innovation and Agility: Employees can explore new tools and technologies to increase productivity and introduce innovation.
• Speed: It allows for quicker solutions to business needs without the delays that can come from formal IT procurement and deployment processes.
• User Satisfaction: Employees often choose solutions that they find intuitive and easy to use, leading to higher satisfaction and productivity.

All good things…but about those risks.

Risks of Shadow IT

The vast majority of shadow IT emerges from a genuine need for efficiency. But the risks that are introduced are too significant to overlook:

• Security Vulnerabilities: Unauthorized applications and devices may not adhere to an organization’s security standards, potentially exposing a business to attack.
• Data Breaches: Shadow IT services typically don’t have the same security controls as IT-approved resources.
• Compliance Issues: These unapproved applications or personal devices can make it difficult—or nearly impossible—to comply with industry regulations.
• Data Silos: Information stored in shadow IT systems might not be integrated with the rest of the organization’s data, leading to inefficiencies and data integrity issues.
• Resource Duplication: Uncoordinated implementation can result in duplicated efforts and wasted resources.
• Lack of Visibility and Control: IT departments are already stretched thin dealing with technology they know about. Any data and resources that operate outside an IT department’s purview make it extremely difficult to enforce security policies, manage licenses, and ensure data integrity.

How to Discover Shadow IT

Understanding the scope of your organization's situation is the first and most important step in minimizing the risks of shadow IT.

Here are three practical ways to uncover the depth of shadow IT in your organization:

1. Listen
   • Employee Surveys: Use anonymous surveys that ask employees about the software they use for daily tasks.
   • Town Halls: Host informal meetings where employees feel comfortable discussing their workaround and favorite tools.
2. Follow the Money
   • Review Cloud Service Bills: Analyze invoices for cloud services like storage and collaboration tools. Unexpected spiked or unfamiliar subscriptions might include shadow IT use.
   • Track Software Licenses: Audit existing software licenses to identify any gaps between what’s authorized and what’s potentially being used.
3. Leverage Technology
   • Network Traffic Monitoring: Monitor network activity for unusual data flows or connections to unauthorized services.
   • Endpoint Detection and Response (EDR) Tools: These tools—Microsoft Defender for Endpoint is a great example—identify unauthorized software installations on company devices.

How to Manage Shadow IT

After discovering shadow IT in your organization, the next step is to overcome the management challenges created by shadow IT. Efforts to eliminate shadow IT completely are usually fruitless and, in the end, cause more issues than they resolve as employees grow mistrustful of the IT department and frustrated with rules that make their jobs more difficult.

How do you balance the positive initiative of employees who seek to enhance their workflow with the obvious risks of unsanctioned technology practices and solutions? 

A primary goal should be for the rest of the organization to view the IT department as a trusted advisor that can be consulted on technical decisions, not a speed bump—or roadblock—on the path to productivity.

Your ultimate goal, however, is to keep your organization secure.

Some suggestions on how to accomplish these goals:

• Develop a network of contacts in other business units: Positive relationships with different areas of your organization are vital to understanding their needs and recommending appropriate IT solutions.
• Educate Employees: Let everyone know about the risks of shadow IT and the importance of transparency with your IT department.
• Evaluate and Analyze the Risks: Not all shadow IT presents the same risks, and with a few security measures, many can easily comply with your security policies. If you genuinely evaluate each piece of shadow IT, it will go a long way within your organization to show you as a trusted advisor who wants to make employees’ lives easier.
• Encourage Open Communications: Create ways for employees to request new software or technologies. Identify what drives them to use certain applications or devices instead of approved solutions.
• Identify Alternative Solutions: This ties in several other of our suggestions: Being connected with others in your business, having open communication, and educating employees are all things that will allow you to offer alternative—and better secured—options more easily. Your team members, because they are educated on the topic, will better understand the reasoning and be more willing to adopt your suggestions.
• Streamline Approval Processes: Make getting approval for those new resources easier for your teammates. Unfortunately, only 12% of IT professionals follow up with requests for new technology from staff.
  
• Enhance IT Governance: Establish clear shadow IT policies and frameworks that accommodate the need for flexibility and innovation while ensuring security and compliance.

An effective handle on shadow IT takes time and effort. But it is essential.

For many organizations, IT departments are just trying to keep the lights on, hustling from one issue to the next, and possible risks from rogue applications are far down the priority list.

Turning to an IT partner who lives and breathes security while having a wide breadth and depth of knowledge of shadow IT across industries can be a wise and cost-effective decision. vCISOs, backed by expert teams of analysts and engineers, provide security leadership at a fraction of the cost of in-house staff.

Conclusion

While shadow IT poses significant risks, it also highlights the need for IT departments to learn and adapt. By understanding the root causes of Shadow IT, organizations can develop strategies that mitigate its risks and harness the innovative potential of their workforce. 

Implementing a balanced approach that prioritizes security, compliance, and user satisfaction is essential.  

By proactively addressing Shadow IT, you can safeguard your organization’s assets, ensure compliance, and foster a culture of transparency. Mitigating shadow IT risks is a perpetual journey that requires ongoing vigilance, adaptation, and collaboration across all levels. 

If you’re looking for help battling against Shadow IT, let HBS help. Contact us today.