Shadow IT: The tip of the iceberg

Shadow IT: What lies beneath?

05 April 2017

What is Shadow IT?

“One of the key roles your IT department plays within your organisation is the sanctioning and management of all applications and software used by fellow employees”.

The above statement is unfortunately only a half truth. In reality, whilst this should be the case, the waters are a bit muddied. The IT team can after all only manage and sanction applications and programs that it knows about. A more commonly accurate statement is as follows:

One of the key roles your IT department plays within your organisation is the sanctioning and management of all applications and software used by fellow employees, but unfortunately this is usually near impossible due to the use of applications that said employees are using without even letting IT know they’re being used”.

This is the basic concept of Shadow IT. Users across all departments use applications or run software without the IT team ever being aware. We’re not talking about one or two individuals here either. A recent McAfee survey found that over 80% of users admitted to using applications without passing it through IT first.

Why do people use Shadow IT?

It’s very important to clarify that users aren’t using applications of this nature to be subversive. Most of the time, they’re simply trying to do their jobs as effectively as possible. By nature, third party enterprise cloud applications are efficient, accessible from any location, and solve a problem a user or team may be facing quickly and with minimal delays. As internal IT budgets continue to tighten, business infrastructures can be slow to offer similar services, and as such, sub-teams take it into their own hands to resolve a problem as quickly as possible.

Here are some examples of shadow IT applications that may not be regulated by an organisation:

Solution Type Examples Possible Culprits
File management programs Dropbox, Google Drive, Wetransfer, other cloud storage All teams
Customer database management Customer relationship management and marketing automation software Marketing, Sales
Resource and project management tools Basecamp, Trello, timesheet software, Replicon All teams
Business analytics and business intelligence SAS, Qlik, Tableau, SAP Technical teams, Marketing

What’s the problem with this?

Underestimating Shadow IT is like the captain of a ship underestimating an iceberg. Although it looks fairly small above the surface, you’re never sure of what lies beneath, and no ship is unsinkable.

Shadow IT can cause a number of problems to businesses. One such example is financial waste produced by separate sub teams purchasing licenses for differing software that achieve the same goal. Shadow IT can also increase the risk of data loss, as information and login credentials are frequently hosted on third party applications that can’t be regulated by the organisation.

Let’s quickly elaborate on internal business regulation and the rules around how data is stored. Without being aware of unauthorised applications that use business data (for example, CRM systems or even just file sharing applications like dropbox), it makes it extremely difficult for IT and internal compliance to ensure sensitive data remains secure at all times.

Upcoming changes to UK data law will make shadow IT an even greater threat, as businesses need to prove that every measure has been made to ensure personal data remains secure and private. If these regulations have been bypassed by an employee using a rogue application, the implications for the business and also the individual using the application that caused the breach could be profound.

How to bring your IT out of the shadows

First and foremost, don’t approach this exercise by trying to catch shadow IT “offenders” out. Using third party applications shouldn’t be discouraged by the IT team, as this can cause conflict as well as reduce productivity. Instead, IT should regularly work alongside individual teams and business stakeholders to raise awareness of Shadow IT and data compliance, whilst standardising which applications are provisioned and approved across a business.

This process in itself will help identify a large amount of solutions that can be used across multiple departments, and may streamline operating costs as preferred third party applications are led by IT across an organisation.

Want to find out what’s on your network? Request a security lifecycle review from Prodec Networks today to learn which applications are in use by your employees, and the risk that these present. Simply click on the banner below.

What's on your network?

Find out today with a free Palo Alto Networks Security Lifecycle Review (SLR)

Request an SLR

Related Content