There’s a dark space in your IT ecosystem.
You may not be able to see it, even though it’s right in front of you. Your employees probably know this secret. It might even be part of your normal, everyday business processes. But without your knowledge, and without much effort or thought, actions that can greatly affect your business are happening every day.
This blind spot is called shadow IT.
Questions may come to mind: What is it? Realistically, how much of a threat is it? Do you really need to address it or can you ignore it? Could there actually be a positive impact from shadow IT and, if so, what is it? Most importantly, how do you uncover shadow IT within your company and, once discovered, what do you do about it?
Let’s explore these questions, assess the risks and take the mystery out of a sinister sounding subject.
Defining the Darkness
Shadow IT refers to devices, software and services used within an organization without the approval — or knowledge — of your IT department or IT services provider. Common examples are chat/instant messaging tools, notetaking tools and cloud- storage and file-transfer services. It can simply be an unsecured USB drive, or it can be any of the hundreds of web-based applications that are connecting to your systems, using your data and moving company information around without any oversight, controls or guidance.
Shadow IT is widespread. It’s present in every industry, including highly-regulated industries such as finance and healthcare. You can find it in virtually every organization of all sizes. Shadow IT is proliferating at an incredible pace and the explosive growth is expected to continue.
There are two main drivers of this trend, and understanding them can help you understand how to interact with shadow IT.
The Curious Case of the Cloud
The biggest driver of shadow IT is the growth of the cloud. Many cloud services have a low cost of entry (compared to historical capital investment in technology), and the quality of applications in the cloud is too good to ignore. To understand this, all you need to do is access the app store on your personal cell phone. New technology hits the market at an astounding rate and is accessible to anyone with a credit card and an internet connection. An employee can purchase an inexpensive license, import company data and integrate with another line- of-business application in very little time.
Meeting the Demands of Millennials
The rise of millennials in the workforce is another reason for the growth of shadow IT. Younger employees grew up with a smorgasbord of technological tools at their disposal. When they find a need or problem, they know there’s likely a solution for it within minutes; they just need to find the right tools to move forward with their work. The trend of BYOD (bring your own device) goes hand-in-hand with this. Millennials prefer to use personal devices — cell phones and tablets in particular — for certain business activities, and these devices are a wide-open door for shadow IT.
The way people work has changed, and employees are regularly being asked to achieve at a higher, more productive level. The cloud, and the abundance of available apps, make it inevitable that employees will use unauthorized tools just to get the job done.
What’s the Big Deal?
One of the larger risks associated with shadow IT is data loss. Data stored or used by a cloud service is inherently less secure than that on your own network. This increases the risk of the data being compromised through a cyber attack, or the loss of data due to a service disruption. Even worse, your cloud provider could terminate operations because of a financial or operational failure. According to Dun and Bradstreet,a commercial data provider, 26 percent of cloud-services providers are at a high risk for ceasing operations. In short, they go out of business and your data disappears.
Another large risk of shadow IT comes from regulatory compliance requirements. If you need to meet SOX, HIPAA, PCI or other requirements, shadow IT increases your risk. For some organizations, that makes addressing shadow IT a critical initiative. You will need to audit your systems and assess the risks of unauthorized applications. You should also consider adding a cloud strategy within your IT plan.
Another risk is uncontrolled or duplicated financial costs. You might be using shadow IT for functionality that you already purchased, but don’t use, in another line of business applications. Some businesses invest in multiple tools for the same functionality. Without oversight by IT, you could incur additional costs because employees lack knowledge and expertise to fully use an application. There are also inefficiencies that can creep into your business processes when technology falls outside of your IT planning and budget.
Embrace Shadow IT?
Despite the risks, many CIOs and CISOs now believe that your business is better served by embracing shadow IT, rather than trying to lock up every bit of technology within your reach.
For one thing, the traditional approach to IT control won’t work. It’s no longer possible, based on the trends we discussed, to have that level of direct control over your technology. If instead, you accept shadow IT, you will change the perception of IT as a hindrance to getting the job done and become a valuable partner to the employees seeking a solution. You also gain the ability to set boundaries around the use of shadow IT. Taking the time to find out what is being used by your team, why it is being used, and how it improves outcomes, may even lead to companywide adoption of a shadow IT application.
by InterDyn BMI