Shadow IT is the use of IT software and hardware that is managed outside of, and without the knowledge of, your IT Support team.
The risks associated with Shadow IT include:
- Not knowing where business data is being stored.
- Cloud apps being used without appropriate security.
- Not being able to back up or protect what you are not aware of, for example backing up important files that an employee has saved on a USB stick.
- Find out why you should be thinking about Shadow IT, the threats it poses with remote working and in general, and how to avoid the risks involved with Shadow IT.
In this blog we will cover:
- What is Shadow IT?
- Reasons for Shadow IT
- The risks of Shadow IT
- How you can avoid Shadow IT risks
What is Shadow IT?
Shadow IT refers to the use of apps and tools by a team or an individual without the knowledge of the IT Support team of the organisation.
As organisations transitioned to remote working due to the COVID-19 pandemic, businesses and employees have had to heavily rely on productivity software and collaboration tools. This has highlighted the need for Software as a Service (SaaS) tools such as Dropbox and Zoom, amongst many others. This raises concern amongst the IT Support team of the organisation as it poses a variety of uncommon cybersecurity risks and a lot more use of Shadow IT.
Research commissioned by Citrix and explored by OnePoll highlighted that Shadow IT is common amongst businesses. The survey results showed that 43% of 7,500 office workers in the UK admitted to the use of unauthorised software. The survey also showed which unauthorised applications were most commonly used, including video conferencing applications and instant messaging software.
Shadow IT is most present when employees need to improvise their processes via unauthorised services or practices which function outside the control of the IT Support team. From a user’s perspective, most cases are seen as harmless, for example storing documents on a personal laptop. However, storing confidential or intellectual data on a personal and unsecured device can become a great risk to business security.
Instances of Shadow IT include:
- Hardware: servers, PCs, laptops, tablets, and smartphones
- Cloud services, Software as a service (SaaS): Dropbox, Google Apps, Webex, Microsoft Teams
The most common form of Shadow IT is cloud services, specifically SaaS. The use of SaaS applications has largely grown over the years and is continuing to grow more with remote working.
Shadow IT has its benefits too; it empowers users to quickly and easily use tools to stay productive and collaborate with team members.
Reasons for Shadow IT
Shadow IT is often used without employees realising that they are using it. The reasons this happens can be dealt with quite easily. These are the most common reasons for Shadow IT use:
- Approved software and services seem to be less effective than alternative products.
- Approved software is more complicated and uncomfortable to work with than alternative IT Solutions.
- Approved software is incompatible with the employee’s mobile devices.
- Employees don’t know about, or don’t understand, the security risks posed by Shadow IT.
One of the main problems is that corporate IT infrastructure operates at a much slower speed than the business and doesn’t always meet its needs. An efficient way of dealing with slow corporate IT infrastructure is by outsourcing your IT Support to an experienced IT Partner.
The risks of Shadow IT
Shadow IT can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies.
The presence of unknown and unapproved software within enterprise networks creates a lot of problems for IT Support teams, including:
- Lack of security
- They are uncontrolled and unmanageable
- Potential of unused licenses
- Data loss
- Compliance issues
- Lack of Support
- Financial Issues
Lack of security
Since your IT Support team is unaware of the use of Shadow IT software, they are unable to ensure the security of said software as it does not appear in the organisation’s network.
Uncontrolled and unmanageable
Software vendors constantly release new patches to vulnerabilities and fix errors found in their products. With no knowledge that Shadow IT products are being used, the IT Support team is unable to manage them effectively and run updates.
Potential of unused licenses
Employees may be using a Shadow IT product as a substitute for another product which is already being managed by the IT Support team and most importantly you are already paying a license for, resulting in spending money on tools no one is using.
Losing business critical data is probably at the forefront of concerns for most CEOs. When there is Shadow IT products present within your network there is a risk of losing data. If an employee is using an application which does not back up data and something happens to the device they were using, there is a high risk of not being able to retrieve said data. In addition, applications which are not managed by the IT Support team pose a risk of unauthorised access to data as the IT Support team has no control over who is accessing these applications. Furthermore, with unmanaged applications users may have access to business-critical data they are not authorised to access.
Shadow IT has the potential of violating compliance requirements for Software Asset Management (SAM) and for the General Data Protection Regulation (GDPR). If you fail to comply with regulations, such as GDPR, you are most likely going to face a very hefty fine that could immensely harm your business.
Lack of Support
Since Shadow IT decreases the visibility of your IT Support team, they are unable to see which tools your users use, resulting in not being able to support these tools when something goes wrong. For example, if your team is using a Shadow IT app which requires an update and it fails, your IT Support team will most likely not know how to deal with this issue.
Shadow IT brings many problems and an important one is financial issues. You may be spending a lot of money on unused licenses for applications your team are meant to be using but actually use an alternative application. In some cases, your team might even be paying for this alternative tool without your knowledge.
How can you avoid Shadow IT risks?
To avoid Shadow IT risks, you must first understand why employees use Shadow IT products.
Employees don’t usually adopt Shadow IT with bad intentions. The top reason why staff use Shadow IT applications is because they are most likely trying to do their work as quickly and as easily as possible, sometimes in difficult circumstances. Although, there are other reasons employees resort to using shadow IT: they might not have an available approved tool to do a specific task; they were unaware that they should not be using cloud apps without approval; a free trial for an approved app has expired so they find something else to use; they may have requested to use an unapproved app but didn’t get a response so they used it anyway.
So how do you mitigate risks?
Run a Shadow IT survey
To find out what applications your employees are using you will need to run a user survey. Once the results are in, you will need to liaise with your IT Support team to make sure your employees are using the right applications in terms of cyber-security, compliance, integration ability and employee productivity.
The survey will highlight if you are wasting money on software that you might have thought was invaluable, but your users avoid using it because it is difficult to use. Thus, they resort to an easier alternative.
For any Shadow IT tools that you have decided not to implement in your network you should ask employees to close their account and ensure data has been migrated to an approved application. The last thing you want is for your business-critical data to become compromised in a data breach you are not even aware of.
You provide your employees with easy-to-use and reliable software, you lock down machines, and monitor your network (firewall, mdm, rmm).
Develop strong policies
Shadow IT occurs when there is ultimately a failure of communication between employees and management. That is why it is important to have open lines of communication between managers and employees. New hires need to be told what’s acceptable and what is not, and also that there is an open-door policy to better software/cloud ideas. Management needs to know there is a problem if staff feel frustrated in their efforts to do their work.
Therefore, the best prevention of Shadow IT is to adopt a well-considered policy to monitor software and cloud services. Encourage employees to submit ideas for brands and/or types of technology that enhance their job performance and efficiencies. Make careful decisions about adopting these technologies. Then communicate what is – and is not – allowed to staff.
Educate your employees
An effective way of preventing Shadow IT is by educating your users. As an employer, it is in your best interest to educate your staff on the IT risks and dangers of Shadow IT. Employees usually don’t think about the possible consequences of their actions when it comes to Shadow IT; some don’t even know it exists or what it means and logically would not even know what the risks are. By using this preventative approach, you will mitigate most of the Shadow IT in your network. It is equally important to implement this education process in any employee on-boarding for newcomers.
Monitor your network
Your IT Support team or partner is able to implement a networking monitoring strategy which will be able to detect the use of Shadow IT and ultimately keep you safe from a data breach or any harm to your organisation.
Cloud Access Security Broker (CASB)
You can implement a Shadow IT monitoring tool, a Cloud Access Security Broker (CASB), which is designed to keep your cloud applications secure and can detect the use of Shadow IT as well as evaluate cloud applications for risk and compliance.
Give your employees the tools they need
It is also important to consider providing your employees with applications which are familiar to their working habits. Offer users applications that match what they are used to; the familiarity will ensure optimal adoption. For example, implement a file sync-and-share system that extends compliant content services to each desktop in the form of desktop folders. Users are far more likely to comply when they are not learning an entirely new procedure and the organisation can benefit from the instant discoverability and policy management of content services.
In the instance of communication software, which is the most common use of Shadow IT by a large margin, one of the best tools you can use is Microsoft Teams and Outlook. With these tools you can effortlessly create, schedule and join meetings. These solutions also give your IT Support team piece of mind as they are certified secure, with a guaranteed uptime SLA, and integrations for existing technology and core business processes like active directory and mass deployment.
While Shadow IT is an IT security risk, it is also viewed as an indication of an inefficient IT strategy. To eliminate Shadow IT and still have a happy and productive team you need to understand the needs of your employees and provide them with the tools they need or prefer. Whilst the happiness and productivity of your employees is important, it is as important to always consider and eliminate any IT security risks, especially those that are a lower hanging fruit such as Shadow IT.
It is also important to consider that an agile business must become flexible while controlling risks. IT leaders must be able to identify and mitigate risks posed by unsafe information-handling practices. By following these principles, your business will minimise the risk of Shadow IT and build an IT network that brings value to your IT infrastructure.
Cardonet have been working with businesses in a myriad of sectors for over twenty years. We have helped businesses establish solid IT Strategies and deliver excellent IT Support. We have proudly helped organisations overcome their Shadow IT concerns as well as their technological challenges. Our highly experienced and friendly team of engineers based in Los Angeles, Southern California, the United Kingdom and parts of Europe are available 24/7 to assist you.
We are here to answer any of your questions and address any of your IT concerns as well as ensure you are getting the best IT Support for your business. If you are spending too much time dealing with technology issues and if those issues are affecting your business, call us on +44 203 034 2244 or +1 323 984 8908. Alternately, you can contact us online. We will be happy to help you overcome your IT challenges so that you can set your business apart.