What is Shadow IT and How do you Approach IT?

June 29, 2018 | Posted in:

Cloud, Data Management, Compliance, IT Security, Digital Transformation

Posted by Jeff Trudel

Most employees want to be productive.  As cloud service consumers, they have become accustomed to finding a tool or app that will help fill a need and simply buy it without obtaining approval from the organization first.  This practice of employees bypassing IT management to procure tools and services without proper vetting has infiltrated the workplace and is known as Shadow IT.

What exactly is Shadow IT?

Shadow IT.jpgGartner, a leading research and advisory company, defines Shadow IT as “devices, software and services outside the ownership or control of IT organizations.”  In other words,  IT departments can find themselves in the dark when it comes to some of the technologies being used by businesses.   Examples of Shadow IT include cloud storage such as Dropbox and Google Drive, personal email accounts being used to conduct business, unsanctioned Bring-Your-Own-Devices (BYOD) or, as mentioned above, third-party Software-as-a-Service (Saas) applications.  

For the most part, employees use Shadow IT with good intentions and may not fully realize the rigor that goes into application and device selection.  It's no surprise that over 80 percent of employees admit to using non-approved Software-as-a-Service apps in their jobs.  However, without proper approval and vetting of new technologies, it can create risk for the organization.

Why is Shadow IT a potential issue?

If you’re in a regulated industry, such as healthcare or banking, then you are already aware that there are certain types of information that must be protected. Such information can’t be protected properly if employees are storing it in locations outside of your control.  Similarly, you won’t know if you or your customers are at risk when the latest breach shows up in the news if you do not know where all your information lives.  Gartner estimates that by 2020, a third of successful attacks experienced by enterprises will be on their Shadow IT resources. Clearly, that's a risk that needs to be mitigated.

There is also a risk that work productivity will be lost if an employee leaves, or becomes otherwise unavailable, and fails to provide credentials to their Shadow IT applications.  It could be quite an endeavor to figure out what they were working on and where everything is stored.

What can be done about Shadow IT?

As with most questions in IT, the answers will vary. A bank will have a different approach than a publicly-funded research organization, but the initial steps remain the same.

1.  Create information classifications for your company.

The company, and ultimately the employees, must clearly understand what is public, private, or confidential. The classifications for your company may vary, but the process of creating them will help you determine acceptable usage guidelines. For example, you may decide that confidential information containing social security numbers is only allowed in a predefined set of applications sanctioned by management, whereas employees may have a little more flexibility to use their preferred cloud services for private information such as meeting notes.

2.  Discover existing Shadow IT. 

Once you find those outliers, understand how the information contained within moves throughout your company. There are a variety of tools that can help you with the information gathering process, technical solutions like Microsoft Cloud App Security, or soft solutions such as a Survey.

3.  Adopt or prohibit services.

Many of the discovered services will offer professional versions with centralized management. If the services add value, then consider vetting and adopting them while also determining which classifications of information are allowed.

4.  Educate your employees.

Written policies and end-user education are critical. Technology is always evolving, and tomorrow will continue to bring new ways of working. There is no substitute for ensuring employees are aware of clearly defined policies and guidelines for the acceptable handling of company data.

IT organizations are just now learning to re-evaluate their perspective and are beginning to embrace Shadow IT.   When you embrace it and create a culture of security awareness, you can decrease the amount of effort you expend playing Whack-A-Mole with Shadow IT.  Acceptance will allow the members of your organization to focus on increasing productivity while you keep data security as a top priority.  In the end, employees don't use Shadow IT to rebel or frustrate the IT department;  they use IT to get their work done more efficiently.

Do you want to keep your Shadow IT reigned in? Learn more about creating policies and procedures around the usage of IT.


Jeff-Trudel-2Systems Engineering's Jeff Trudel is a Technology Consultant in the Professional Services department. Jeff is currently working with SE clients to create and deliver thorough policies and procedures including Information Security Policies, Business Continuity Plans, and Acceptable User Agreements to assist organizations in securing their more precious information assets.