What is shadow IT? Answers to 5 frequently asked questions

This blog is tagged to the following categories:

The IT department is responsible for all things IT. Sounds pretty straightforward, right? Wrong. Hidden in the dark and shrouded in mystery, shadow IT breathes.

But what is shadow IT exactly? In this blog, we answer five of the most frequently asked questions about shadow IT.

What is shadow IT?

The name says it all: shadow IT takes place in the shadows – and the IT department is left in the dark. In short, shadow IT covers all forms of IT that take place outside of and without knowledge and/or approval from the IT department.

Shadow IT refers to the use of technology systems, applications, or services within an organization without official approval, oversight, or knowledge of the IT department or management. It often involves employees independently adopting and using unauthorized software, cloud services, or devices to fulfill their work-related needs.

Normally, the IT department uses its expertise to select or approve new hardware or software for the organization. With shadow IT, other departments than IT or individual users use tools or devices that the IT department doesn’t know about.

Why does shadow IT occur?

Ease of use

With the sheer amount of available web and cloud-based technologies and applications, using your own IT resources has become easier than ever. Anyone can easily download and use IT tools through a web interface with little to no involvement from the IT department.

Business IT innovation

Most business departments want to innovate faster than the IT department has resources for. According to this Gartner report, only 40% of total IT investments comes from the IT department itself. Business departments simply find their own solutions: they actively invest in IT software that supports their innovation efforts. This may include investing in a new application or platform or enlisting the help of an external IT consultant.

Shadow IT creates invisible risks that the IT department can’t address because they don’t know about them in the first place.

What does shadow IT look like?

BYOD: a dream or a nightmare?

Bring Your Own Device (BYOD) is great for a number of reasons. For one, employees get to work exactly the way they want: whether they like using a Samsung tablet, a MacBook, or a Xiaomi smartphone. But BYOD also has a dark side. Using personal devices to log onto the company network may cause huge security risks. Especially when personal devices are outdated or use dubious software – a hacker’s dream come true. Keeping track of all devices? IT’s worst nightmare.

Connected but disjointed

Now that almost everyone is working from home, employees have to find new ways to stay connected to their team and coworkers. The solution? Online tools and applications such as Microsoft Teams, Miro, and Trello. Usually, a team or department simply downloads a new tool and the rest of the organization automatically follows suit.

The result? A snowball effect. All of a sudden, the organization uses eight different tools – and no one has involved the IT department or thought about how these applications handle personal data.

How can you maintain security while working from home?

Taking assets into their own hand

Some departments are extremely responsible. So responsible, in fact, that they handle asset management themselves instead of having centralized asset management run by the IT department. Such departments have their own, private IT stock.

So, what happens when an employee leaves the organization? They hand in their laptop at their department and think they’re done. Weeks later, they get a call from IT, asking about the laptop.

Meanwhile, the department has already handed out the laptop to a new employee. The IT department has no idea how many IT assets they have, where they are, and whether something is missing.

What are the implications of shadow IT?

“If you can’t see it; you can’t control it” definitely rings true for shadow IT. Shadow IT creates invisible risks that the IT department can’t address because they don’t know about them in the first place. It also increases the attack surface of the organization, making it more susceptible to data leaks, for example.

The IT department is responsible for security, compliance, and privacy in the organization. Shadow IT poses a genuine threat to all three of these, especially in larger organizations. The more applications, tools, and devices there are, the harder it is to control them.

How do I manage shadow IT?

Boost awareness

You simply can’t avoid shadow IT, no matter how hard you try. Using your own IT resources has become easier than ever with the boom in web and cloud-based technologies and applications. This doesn’t mean you should just accept it and move on. You should still shut down anything that’s actually dangerous or poses too great a risk.

But there’s also another solution: education. Invest in more awareness of how important security, compliance, and privacy are. Most users are simply unaware of the implications when they sign up for Trello or log onto the company network using an outdated device.

Next, set up simple guidelines that users have to follow when using their own hardware or software, such as multi factor authentication.

Partner up with the business

To make the most of innovation and avoid the risks of shadow IT, the IT department and the business departments need to join forces. On the one hand, the business departments need IT for their knowledge and expertise. On the other hand, IT wants to make sure the business departments invest in a safe solution that they won’t have to lose any sleep over.

So how do you partner up with the business? Offer your services and make sure the business departments know where to find you. Take on an advisory role in every innovation project, from the orientation phase until the implementation of a new tool.

A win-win situation: the business departments get to innovate, and IT gets to sleep at night (and profit from the business departments’ innovation and budget).