When faced with a problem at work without the necessary resources to solve them, we often turn to tools that are readily accessible – such as downloading an unauthorised app or using our private devices to access work documents. These IT-related activities that may seem harmless at first can quickly lead to some serious security gaps. In this article, we discuss some risks created by Shadow IT and provide you with some solutions to manage them.
Typically, users who turn to Shadow IT are not doing so out of malicious intent but rather to help fulfil needed business functions. Whether it is to speed up operational processes or to implement new ideas quickly – all of which are usually hindered by bureaucratic gatekeepers.
Nevertheless, digital transformation only prospers with a transparent system landscape in place. Applications that are installed without the knowledge of the IT department threatens the security of networks, devices, and other IT Assets. These threats that are lurking within the organisation escape the radar of CIOs and infosecurity teams, and can result in expensive solutions for the company later on.
The first thing to do is understand the motive behind why individuals and groups bypass the IT department:
- Why do employees seek private solutions outside of IT?
- What prevents them from working with IT for a solution?
- Do the applications and software used in the company actually help employees be more productive or is it too difficult to use?
Top reasons for Shadow IT
Limited resources presented in IT departments aggravates the problem further as administrators simply do not have the time for requests from business departments. Whatever time they do have is already invested in time-consuming and mundane tasks such as assisting in backup and recovery of digital assets or inventory management. It is easy to forget how much time and efficiency could be achieved with automation.
As a result, departments wait for a solution while being pressured by their bosses to deliver. They are eventually pushed to seek their own solutions via Shadow IT outside the scope of the organisation’s IT system landscape. This is the beginning of a vulnerable IT Infrastructure that should have been avoided with a standard IT solution in the first place.
Security threats from unknown software and web applications are the most significant problem resulting from Shadow IT solutions. They enter the enterprise network without IT’s knowledge and without going through risk assessments, undoing any internal efforts to bridge security gaps.
When done properly through IT professionals, any software updates should remove threats from the system. Software vendors release new patches regularly to fix bugs and errors in their product. IT administrators then apply these updates in a timely manner, removing any security risks that are associated with an old version of the software. However, with unknown software existing in the organisation’s system infrastructure, IT teams will not be able to react and manage these security risks effectively.
Three typical ways to deal with Shadow IT and why they might fail
- Centralisation: The IT department administers all IT-related activities and establishes strict guidelines regarding the use of personal devices and applications for individual users and departments. Basically, only administrators are authorised to instal applications and device drivers and in some cases ports and connectors are blocked to prevent the use of particular applications altogether.
- Autonomy: The assumption here is that individual users take on the role of the administrator and the IT department oversees and only intervenes when things are not running as planned. It is however not possible for IT to have full control of the system.
- The middle ground: The IT department steers the boat mainly but at the same time allows individual users the freedom to choose which software and applications they want for special projects, all within predefined limits. This can be done through Network Compartments mapped out on devices, a “recipe” that covers the policies and protocols as well as communication principles of a compartment, keeping the database and its access limited and secure.
At two ends of the spectrum are Centralisation and Autonomy; the two extreme forms of dealing with Shadow IT that are necessary in data sensitive industries such as Defense and Health that require enhanced security. However, these two methods carry the risk of a power struggle between IT teams and employees and therefore an increased incidence of Shadow IT as two parties avoid working together.
Autonomy is even rarer since most employees do not possess enough knowledge to administer IT processes independently. Furthermore, this method is too risky from the perspective of IT professionals, since it is almost impossible to trace a gateway in the event of a data leak/breach or a successful cyber attack.
To mitigate the risks of the first two methods, most companies choose to implement a middle-ground solution. And even then, companies need to tread lightly and take some extensive measures for a successful implementation.
Other potential risks created by Shadow IT
In addition to the aforementioned risks created by Shadow IT, data protection issues may also arise from different levels of security standards by individual users. When this happens under the radar of IT, there is no way for IT Administrators to carry out user authentication and to ensure that data protection regulations are adhered to. Putting this into the context of Germany’s Critical Information Infrastructure Protection (CIIP) Plan stating that 80% of all organisations in the EU must be subjected to this framework in the near future, this development is disheartening. Nearly as problematic are heterogeneous IT environments and Information Silos as they pose a challenge to integrating applications and having a consistent set of data.
Behind Shadow IT is a myriad of other problems such as the management of licenses when employees use privately downloaded software at work. Since these privately owned applications do not possess a service level agreement (SLA), it is difficult for IT teams to establish consistent operating level standards or to even manage it.
How to make Shadow IT work for you?
Studies show that one of the biggest reasons for Shadow IT is the inefficiencies in the software procurement process. Often, IT departments fail to carry out services that meet the expectations of users within a specified timeframe that would be necessary for departments to meet their business objectives.
The key here is offering solutions that are as user friendly and uncomplicated as the solutions that employees downloaded privately, since this is one of the main reasons why they turn to those softwares and applications in the first place.
A more sustainable approach to keep Shadow IT at bay is to restructure the IT department. Instead of seeing IT as one of the many departments in the company, they can be positioned as service providers and consultants for other business departments. The classical role of IT to diagnose and fix every technical related problem will be transformed to one of equipping employees with basic IT knowledge. Since the fight against Shadow IT should be a company wide effort, every individual should be well-informed about the effective measures against Shadow IT.
Understand the reasons behind Shadow IT is essential for prevention
Knowing what employees are lacking and what they desire is half the battle won. IT teams should come to the realisation that business departments want the freedom and independence to choose what tools they work with, especially when the single departments know their own needs best.
Fundamentally, the only solution organisations have against Shadow IT is for IT teams to be responsive and prompt on delivery. This means that business departments should not have to wait for weeks for a response but rather in days or even hours and minutes, depending on the difficulty of the request. The shift in IT’s focus towards software provisioning models is a good strategy for individual users and groups to steer away from Shadow IT by equipping them with the tools they need.