In this age of ever-increasing threats to cybersecurity, Shadow IT is a growing menace. It is a danger that hovers like dark cloud over the IT infrastructure of an organisation. However, there is no denying the fact that there are many benefits of Shadow IT as well. In this article I intend to discuss this new business jargon in more details.
When IT was new, most applications were tested rigorously and purchased as packages that came with warranty. Today, there are IT applications for just about everything. And they are all available at the click of a button, and in most cases, even free of cost.
What is Shadow IT?
The term refers to any type of system, software, hardware, devices, applications or IT resources used by employees in the organisational network without the IT department's express approval and in most cases without even the IT department's knowledge. Such a practice can take place in various forms, and while it comes with many inherent benefits, it violates compliance norms and poses major threats to the security of IT infrastructure in an organization that include data leaks and other cybercrimes (detailed later).
With the exponential growth of Information and Technology globally and the adoption of cloud-based services, the chances of threats to IT systems have also sky-rocketed. While there is no denying the fact that Shadow IT can enhance the productivity of employees and also encourage creativity and innovation, this rapid growth of cloud-based applications has also given rise to increased usage of shadow IT.
Common Shadow IT applications
Some of the best examples of Shadow IT are applications like Slack, Dropbox, Google Drive, Google Docs, Microsoft Office 365, Cloud storage services, Skype, WeTransfer, Excel Macros, various file compressing applications, messengers, various videotelephony software like Zoom, Microsoft Teams, servers, etc and hardware like personal computers or laptops, tablets and smartphones.
Why Shadow IT?
The question arises, why at all does Shadow IT exist? The answer is simple. Firstly, getting the exact application one needs right at that moment of need, may be difficult in an organisational perspective as it has to pass through various time-consuming stages of proposal, review, rigorous testing and final purchase. Secondly, we often tend to be more comfortable with applications we use personally on a day-to-day basis and we often tend to take initiative to popularise such applications amongst our peers in the organisation. Thirdly, the recent concept of ‘Bring Your Own Device’ or BYOD (allowing employees to use their own laptops or smartphones in office) has contributed to the exponential rise of Shadow IT.
Benefits of Shadow IT
Despite its risks, shadow IT has its benefits, some of which are as follows:
Adoption of Shadow IT applications is lucrative as it is simple to work on.
In many cases Shadow IT is more efficient because its market is competitive.
Shadow IT applications are available at the click of a button
Taking approval from IT department for purchase of a particular software application often takes time and in contrast, using Shadow IT applications is fast and there is no wastage of time. And we all know that time is money.
Examples of Shadow IT
To understand the concept better, let us take a few practical examples of Shadow IT:
An employee stores sensitive information in a shadow IT cloud application.
An employee discovers a more effective and faster file-sharing application than the one approved by the in-house IT department, and starts using it. Gradually the usage also spreads to other members of the organisation.
File sharing through applications like Google Docs can lead to data leak.
An employee who intends to complete a certain task at home but does not carry office device to home sends the work documents to his personal email id. This exposes the confidential organisational data to networks that are beyond the control and monitoring of the IT department.
Shadow IT Risks
I must clarify here, I have no intention of stating that Shadow IT is bad, it is inherently not dangerous. But sometimes mindless usage may result in menaces like data leaks and compromise of security. Shadow IT not only results in technological risk, but also business risk and reputational loss. The following are some specific risks associated with usage of Shadow IT:
Extended attack surface as any device connected to the network gets exposed to potential cybercriminals
Because of Shadow IT an organization may lose confidential data or control over any data
Shadow IT may result in regulatory or legal non-compliance
An organisation may lose vital client or other information where an employee stores sensitive information in a shadow IT cloud application and the same becomes the victim of a cyberattack
Any data leakage or cyberattack could result in financial loss for the organisation that might include costs associated with data retrieving, legal costs, costs involved in salvaging reputation etc.
Managing Shadow IT and reducing associated risks
As information and technology continues to grow and keep innovating, it is expected that Shadow IT applications will also increase, and in a large way it will dominate our lives, both personal and professional. However, adopting certain checks and best practices might help organizations reduce the risks associated with usage of Shadow IT. The following are some such preventative measures that can contain the menaces of Shadow IT:
Discovering the Shadow ITs being used is the first step towards finding the solution
The inhouse IT department must know the needs of the employees
Educating employees about Shadow IT and the risks associated with its usage
Encouraging employees to monitor and manage unsanctioned applications
Responsibility of cybersecurity must be built into the organisational culture.
The idea is to find a middle ground between the IT department and business unit or user so that they can use some shadow IT while allowing the IT department control user permissions and data for those applications. To this end, organisations may need to rethink and redraft their internal codes and policies that clearly state to what extent and in what form Shadow IT is acceptable.
There are good sides of Shadow IT and bad sides as well. To run organisations in this age of increasing usage of information and technology, the best strategy is to find a middle path. Employees may be encouraged by the IT department to find efficient IT applications that work faster and answer their needs in the best way and IT department may in turn control the data and user permissions for such applications. This will also free up some time of the IT department for more strategic and business-specific IT work.