Shadow IT, where employees use unauthorized technology — or even set up their own solutions — without the knowledge or approval of management, is not uncommon. Unfortunately, not only can this practice create potential security or compliance issues, it can also expose the company to serious cybersecurity risks.
This concern is not new. In 2016, Cisco released a study* that found 80% of employees used software that wasn’t cleared by the IT department, and only 8% of enterprise leaders knew the scope of Shadow IT within their organizations. The fact that it has a long history, however, doesn’t make Shadow IT any less dangerous.
Ironically, the rise of Shadow IT is credited to the debut of the iPhone**, which was not used in corporate environments at the time. Everyone wanted this cool new device, and if they had to “sneak around with it,” they were willing to do so.
In some companies, the pandemic-driven trend toward remote or hybrid work exacerbated the problem. Out-of-office workers often found it easier to resolve technology problems or shortages with unapproved solutions. Since their systems were not under corporate scrutiny, the activities escaped notice. These “rogue solutions,” which may still be in use today, can create an enormous security hole.
This legacy of Shadow IT has caused it to become almost mainstream. A quick search of the Internet will produce dozens of articles speculating that companies could harness the power of Shadow IT. No matter what the prevailing wisdom might be, from our perspective, any unplanned, unapproved IT solutions operating across the company network or involving its systems and/or sensitive data are not OK. Something as seemingly harmless as an employee accessing a useful-looking cloud app, like a free video converter, could put the company at significant risk.
Tackling Shadow IT: The Time Is Now
To address Shadow IT, organizations should address both policies and processes. Creating a company policy, baked into the employee handbook, is an important first step. However, it must be specific so there is no confusion. One example would be a policy that directs staff to store any files or data relating to the company on the firm’s SharePoint or OneDrive file shares. Personal OneDrive accounts would be prohibited.
In addition, IT leadership needs to evaluate all instances of Shadow IT usage to determine why the employee chose the workaround. If the technology falls within the organization’s foundational policies and could improve productivity, it might be useful and should not be rejected out of hand. It also offers the IT department an introduction to the conversation.
IT Solutions has deep experience helping our customers develop secure workplace solutions, wherever they might reside. We can also help you determine if Shadow IT is operating in your company. For a complimentary consultation, we invite you to call 866.PICK.ITS (866.742.5487).
* https://blogs.cisco.com/cloud/the-shadow-it-dilemma
** https://www.computerworld.com/article/3203749/how-the-iphone-begat-shadow-it-and-enterprise-mobility.html
We’ve got answers — fast, clear, and tailored to your needs. Let’s talk tech.
