Summary: A growing trend, “Shadow IT” is a term used to describe IT solutions and systems created and applied inside companies without their authorization. But, while it impacts nearly every organization, not every business leader fully understands the topic. In this article, we uncover the important facts that every business leader should understand about Shadow IT.

Whether you know it or not, Shadow IT is alive and well in your business. Even if it’s only practiced by a few employees, or even if it’s only a few unauthorized apps, Shadow IT is a problem facing every business.

What is Shadow IT? It’s a term used to describe IT systems and IT solutions built and/or used inside organizations without approval by (or knowledge of) the IT department.

For example, when an employee stores work documents in dropbox or on a personal USB drive, that’s Shadow IT. When employees use a cloud-based CRM solution (without IT’s knowledge), that’s Shadow IT. Or, when employees purchase and use self-service BI tools without going through IT, that’s Shadow IT.

I could go on, but the point is this: Shadow IT comes in many shapes and sizes, and impacts most every business.

The problem is, many business leaders don’t fully understand the topic, or don’t believe it applies to them. They don’t understand the risks (and benefits). They don’t understand just how prevalent it has become.

Today, let’s shine some light on the topic and explore a few important realities about Shadow IT. Here are 6 facts that every business leader must understand:

1. Shadow IT is not new (and isn’t going away)

The “Shadow IT” buzzword has exploded over the last few years. In the IT world, everyone’s talking about it.

But, is Shadow IT new? Not at all. Business users have bypassed IT departments for ages. They’ve adopted unauthorized tools, and used personal devices in the workplace for years.

The problem is, it’s far easier now than it ever was in the past. Users can search the web, find a new solution to the problem, and get up and running in minutes. When the alternative is placing a request to the IT department, and then waiting around…what do you think they’ll choose?

The fact is, Shadow IT isn’t going anywhere (and it’s only growing). Once you understand this fact, it changes your approach. Rather than fight a losing battle, you must search for ways to harness Shadow IT.

“Shadow IT has always existed and will continue to exist forever,” explains Andrew Storms, VP of Security Services for New Context. “In this arena, the best advice is if you can’t beat them, then join them. Companies need to accept the fact that Shadow IT will continue to happen and learn to work with it and not against it. It is critical to ask why Shadow IT exists in your organization in the first place. What service is your corporate IT not providing? Why do people feel the need to go around IT? Is your IT department creating too many speed bumps or hindering company creativity? These questions will help uncover ways to appropriately address the issue.”

“One of the best things IT can do is to communicate. Get out of the cubes and go and speak with your users. Creating and fostering that human bond goes a long way to understanding your users’ needs and challenges. Then together, as partners, IT and Shadow IT can work towards an amicable solution.”

2. It’s worse than you think

Now, I’ve heard from many businesses who don’t think Shadow IT applies to them. Their users aren’t bypassing the IT department, so why worry about it?

But…can you really know for sure? By its very definition, Shadow IT is practiced on the sneak. Chances are, it’s happening in your business, whether you know it or not.

In fact, it’s probably much more pervasive than you realize. A recent study revealed that IT leaders vastly underestimate the use of Shadow IT in their organizations. Here’s the crazy part: On average, Shadow IT usage was 15x worse than they estimated!

The fact is, Shadow IT is like an iceberg. It may seem small above the surface, but it’s far bigger than you realize.

“In reality, there are a large number of unauthorized cloud applications in use at many organizations,” says Adrienne Johnson, Corporate Communications Manager at CorpInfo. “Unless the IT department has tackled this head on, and utilized specialized discovery tools, they likely are not aware of them. This means your organization has no idea what your security posture is, what degree of risk you are exposed to, or where your sensitive data is.”

3. It expands your attack surface

You know that Shadow IT is here to stay. You know that it’s probably more prevalent in your company than you think.

The big question: Why should you care? Why should you spend the time and effort in controlling/harnessing Shadow IT?

Here’s one big reason: Security. As explained below, every new device or application gives attackers another way into your systems or data.

“The proliferation of cloud platforms and technologies is expanding the attack surface and opening the network to new types of cyberattacks,” says Ofer Or, VP of Product for Tufin. “Many of these platforms allow application development teams to completely bypass security and network operations and, in turn, introduce ad hoc changes with limited or no security controls. This can result in network security vulnerabilities, violations of company-wide network security policies, and regulatory non-compliance fines.”

4. It’s not rebellion

The common reaction from IT leaders when they discover Shadow IT: Anger. How can the users go behind our backs like this? This must be stopped!

I get it. As an IT leader, you spend considerable time and energy managing the organization’s technology. You work to ensure that your users have secure access to the tools they need.

Then, they go behind your back and create security risks.

While it seems bad on the outside, you need to understand one important fact about Shadow IT: It’s not a rebellion, and you shouldn’t treat it as such. As explained below, end users are trying to find the most efficient way to work.

“Your team is doing it out of convenience,” says J. Colin Petersen, President & CEO of J – I.T.Outsource. “They’re trying to get their job done in the most efficient way possible. Make policies that recognize that need, while keeping your data safe.Documents in the shadow cloud, such as those stored in Dropbox or OneDrive, are probably not getting backed up. Your team probably doesn’t realize this.Your team also doesn’t realize that they might be exposing you to regulatory risk by using the shadow cloud, especially if you’re in medical services or related health care. Financial sector employees are used to the restrictions placed on them, but many medical offices (especially smaller practices) aren’t up-to-date or as diligent about training their employees.”

5. Shadow IT isn’t all bad

There’s no denying that Shadow IT can create security problems if left unchecked. But, should you view it as a problem that must be stopped? Not at all.

When harnessed, Shadow IT offers some very real benefits. As mentioned in this article, it improves productivity, delivers solutions closely aligned with business needs, and reduces pressure on the IT department. Who doesn’t want that?

However, you only see those rewards if you harness Shadow IT. How do you do that? As explained below, it starts with communication with the end users, and treating them as allies–not enemies.

“As an IT guy, I have to think about all of those risks,” says John Matthews, CIO of ExtraHop. “But I also have to think about what’s best for the health of the business from an efficiency and workflow perspective. When it comes to that, my best advice is to treat your rebels as your closest allies. The early adopters of new solutions can help determine what makes the most sense for the business long-term, vetting solutions that might otherwise have gone unnoticed. For both IT and business leaders, identifying these early adopters and bringing them into the IT process can result in better, sustainable technology adoption. If you structure your IT team to work with the rest of the organization, it will produce amazing synergies that help the business move forward.”

6. There is no silver bullet (but there are solutions)

Now, when some businesses learn about Shadow IT, they search for a solution that will solve the problem once and for all (and they’ll probably find vendors offering one).

But, here’s the issue: Shadow IT cannot be fully addressed with technology alone. As explained in this article, most of the steps needed to address Shadow IT involve communication, education, and a shift in how your business approaches technology.

Of course, once you get those things right, there are solutions that will help. Some companies implement controlled, self-service options for their end users. This lets IT control data and user access, and gives users the ability to create solutions they need.

Others implement Mobile Device Management (MDM) tools to secure and control the user’s devices. In the event of a lost or stolen phone, these tools will help control the damage.

I could go on, as there are many solutions that can help you address Shadow IT. But, the point is this: Don’t assume you can find a silver bullet. Before you look for solutions, get the communication right. Work with the business users. Understand their needs. Only then can you truly harness Shadow IT.

Summary

These are just 6 facts you must understand about Shadow IT, but the list could certainly be much longer. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.