Most of what I use at work is Microsoft—Word, Powerpoint, Outlook, the whole business productivity suite. But a few years ago I worked with a consulting firm who shared several documents over Google Drive. It did not take me long to notice that the accounts they used were tied to personal emails, separate from the ones they used to contact me.
My first instinct was disbelief that they could be so careless and that either of our IT teams had let us operate outside of endorsed channels. Suddenly the question occurred to me: What did this mean for the security and reliability of my interactions with them?
This was a simple case of how shadow IT—any software or technology employees use for business outside of the systems officially established by the organization’s IT department—can spread into the daily tasks employees, often without them ever thinking about the risks.
In this particular case, it could have been worse. They were using a reputable service with reliable infrastructure supporting its availability. They had the option to adopt security measures like two-factor authentication. The content in the documents was not particularly sensitive and the transactions didn’t involve any customer personal information. And overall the benefits of simple, real-time collaboration were too great to ignore.
All this is not to say that shadow IT is a good idea. In an ideal world, IT departments would know, monitor and protect every application, plugin or software service their employees use. The reality is IT teams have their hands full. Increasingly complicated IT environments, expanding application offerings and a shortage of employees with the right skillset make managing the day-to-day operations of the business enough of a challenge without adding on additional tasks.
IT teams simply do not have time to hunt down every piece of shadow IT and wrangle it into the proper infrastructure. Instead, they have to be thoughtful about how they approach this problem and work with their employees to meet their needs without slowing them down.
Spotting the shadows
The first step in understanding shadow IT is recognizing how it becomes a part of business operations. Employees turn to unsanctioned apps when they have a need that is not being met by the current offerings from the IT department. Knowing when it is happening is the difficult part.
In the case of the Google Docs, the team needed real-time collaboration environments and there were no good choices internally. Installing collaboration software was not on the IT roadmap for the company. Rolling out a new software within the IT environment sounds simple enough, but rarely is. Very few IT projects are simple or instantaneous. Even if the employees had asked IT to roll out a solution, it may have taken too long to work into the roadmap. Instead of waiting, the team self-judged the risk was low. These employees are only trying to do their jobs, not willfully undermine the IT department.
Shine a light on it
One way to reduce this disconnect between the needs of IT teams and other departments is to think critically about what makes shadow IT problematic within an organization. The three key factors to consider are:
- Reliability: If a piece of software rises above convenience to the point business critical, IT cannot allow it to operate outside of approved channels. Controlling your lawn sprinklers remotely would not be considered mission critical. Controlling the water main to your neighborhood remotely might be considered critical. Controlling the water mains to your entire city remotely definitely would definitely be considered critical.
The first question to ask is “How likely is it that this application will stop working?” The more likely that there will be a disruption the more that IT teams need to find an alternative. The second question is “What happens if employees can no longer use this software?” The more alarming the answer, the more urgent it is that the IT team take control of the software.
You must also consider downstream implications of any piece of software. If, for instance, a marketing team decides to roll out a new email marketing software platform from a relatively-untested startup, it may only impact marketing if it goes off-line. But since marketing automation software needs to be connected the company’s sales database in order to operate, the company’s contacts could be at risk, which has much larger implications.
- Security: One of the most prevalent worries of shadow IT applications is its impact on security. If an outside piece of software connects to internal stores of personal information, then it is unadvisable. When evaluating new software, a risk assessment is critical. Risk assessments look at the software functionality, internal data connections, access controls, and security features. It is important to only use software from reputable brands that have put in the effort to secure their own infrastructure and ensure that using it will not allow an external access point onto the organization’s network.
I once heard of a team that used an online project management dashboard to track the progress of customer case studies. The settings on the application were configured to allow anyone to find it through searching the web, resulting in a leak. The results could have been worse, but it is likely that this could have been avoided through more close involvement with IT to require more secure access to the dashboard. Even a few minutes of conversation could have educated the employees on the potential risks.
- Compatibility: The last point to consider is making sure that the new application will not cause any disruptions to the official IT systems in place. Software collaboration features, and application programming interfaces (APIs) data sharing may have unintended effects on the servers around them. It’s also important to make sure that any new applications do not strain the network. Early deployments of cloud-based productivity often taxed the available bandwidth by requiring constant connection to the host servers. Official IT systems are in place for a reason, so any new applications do not disrupt the normal course of operations.
The first step of assessing shadow IT risks starts with discovery. IT is not the enemy and really wants to create viable solutions. Employees need to feel comfortable approaching IT with suggestions without fearing that the app will be banned without cause or have their question become the start of a months-long review and implementation project. Frontline employees know best what they need and IT knows the fastest ways to achieve it.
For any application sitting on, or accessing, the internal network, IT needs strong network visibility to see what traffic is flowing and where it is bound. This visibility alone will help identify potential shadow IT applications in operation. That knowledge gives IT the chance to reach out to these departments and evaluate what controls, if any, may need to be applied.
Armed with this knowledge of network traffic flows, the next step is to prioritize which, if any, shadow applications require proactive adjustments. While it would be ideal to have all applications under IT operational control, today’s shadow IT availability make that a near impossibility.
Shadow IT is only a source of risk to businesses if left unmanaged, but not every application needs to be banned with prejudice. Low risk applications that dramatically increase productivity can significantly contribute to organizational productivity, and that is the ultimate goal of every IT department.