Summary: Shadow IT–a term used to describe unapproved IT systems and solutions used inside organizations–is growing rapidly. The problem: Not only is Shadow IT more prevalent than most businesses realize, it also costs more than they think. In this article, we explore a few hidden costs associated with Shadow IT and explain why they’re important.
I’ve seen two huge Shadow IT misconceptions floating around recently.
The first misconception: It’s not that widespread. According to one report, the majority of CIOs underestimate its reach. In fact, the study found the use of Shadow IT was 15-20 times higher than they predicted.
The second misconception: Shadow IT saves time and money. This is a misconception often found on the business side. They see the simplicity and low cost of cloud services, and assume it’s a cost-effective option.
Here’s the problem with that assumption: The costs of Shadow IT go far beyond license costs. Shadow IT includes hidden costs that business leaders don’t recognize until it’s too late. These hidden costs can create problems ranging from lost productivity to millions of dollars of lost revenue.
What are these hidden costs? Today, let’s examine this area in more detail. Here are 5 of the most common hidden costs of Shadow IT.
1. Security breaches
The largest potential hidden cost of Shadow IT: Security. The IT department cannot secure data or software if they don’t know it exists. This means they can’t screen new software for security risks or enforce proper security procedures in using the software.
How much does a security breach cost? It depends on whose research you trust. According to one recent survey, the average total cost of a security breach is $4 million. According to a different study, the average cost of a data breach was “only” $200,000.
Let’s ignore the large gap between those two numbers, and focus on one area everyone can agree on: No business wants to lose $200,000 fixing a security breach.
How can Shadow IT lead to a security breach? Typically, it happens in one of two ways. Either the users adopt vulnerable software, or (more commonly) they use secure software in unsecure ways. What problems can it cause? As explained below, these risks can create a number of different (and costly) security risks.
“Shadow IT can incur a massive security risk, as shadow IT does not necessarily connect via the campus intrusion detection, authentication procedures, or connect to their virtual private network,” says Anthony R. Howard, Bestselling Author and IT Consultant. “It can leave an organization vulnerable to ransomware, where a hacker (sometimes novice) seizes and encrypts your data so you can not access it, then charges you an enormous fee to get access to it again. It causes issues with downtime as shadow IT usually does not get backed up reliably so if there is a large failure, data is lost with no way of recovering it, costing the organization serious money if detail like sales, client data and ship-to addresses, or marketing campaigns or database info was on the server (as shadow IT isn’t replicated.)”
2. Investing time/money into the wrong solution
When the IT department purchases software, they follow a strict selection process. It must meet set requirements for security, integration, license costs, and more.
When users purchase software, they don’t follow the same criteria. They’re looking for a solution to meet their immediate needs. Users don’t typically plan for integration, scalability, or security.
The problem is, the lack of a standard selection process hurts the users in the long run. They often run into unforseen issues with the solution. Maybe it doesn’t meet all of their needs perfectly, or maybe it doesn’t integrate with other tools. The result: Many realize too late that they’ve invested time and money into the wrong solution.
“In many cases the choice of the product or service the department chooses is not the right solution for them,” says Ahmed Amin, Founder of Guru Squad. “This is likely because they did not conduct proper evaluation of the system. This can become much more significant if there is a long term contract or commitment to professional services where they migrate the data.”
3. Overpaying for licenses
Communication is a common problem among business departments. Oftentimes, different departments operate in their own worlds.
With Shadow IT, communication becomes an even bigger issue. Because Shadow IT is practiced on the sneak, different departments won’t tell others about the third party solution they’re using…even if it could help others.
This creates two problems:
First, this lack of communication can easily result in extra costs for the business. For instance, multiple departments could be licensing the same solution without anyone knowing. They’re stuck paying duplicate license fees because each department is doing their own thing.
Secondly, the users will generally pay far more per-license than they would going through the IT department.
How so? Let me explain.
When negotiating per-user license costs, a business will typically receive a bulk discount based on the number of users they license. They can negotiate a much lower per-user fee than a typical user purchasing a single license.
“When every business unit in the company is downloading their own 3rd party cloud application or signing agreements with a public cloud provider like Amazon Web Services, the company loses its ability to collectively bargain on a better rate for these services,” says Tad Gralewski, VP of Cloud and Managed Services at Mindsight. “The company as a whole has the potential to negotiate with public cloud providers to receive necessary storage and compute space at an overall lower cost than if purchased individually. In a Shadow IT environment, that means that individual departments are stuck paying the premium for the same serves. If you extrapolate that across an entire company, the amount of money needlessly wasted inflates to debilitating levels.”
4. Network costs
Depending on its usage, Shadow IT can create a strain on your network. When multiple users access their favorite applications on the company network, problems can arise.
What kind of problems? Most importantly, critical functions can get squeezed out. Unexpected network traffic can hurt performance of important services and applications. Then, the IT department must waste their time trying to find the culprit behind the network slowdown.
“The increased network demand placed upon network systems due to IoT via Shadow IT, must be considered as a possible “cost” of shadow IT,” says Tim Kittila, Director of Data Center Strategies at Parallel Technologies. “One aspect of the IoT is the demand for more information via network connectable devices. The new demand on internal networks due to IoT can cause a lot more noise on the network than was originally anticipated. Let alone opening themselves to a huge security vulnerability, this demand also chews up valuable pipeline and bandwidth and may end up causing issues with end-user application experience for tried and true business applications that are driving the business. These additional IoT items can end up costing the business in operational expense beyond the business case, if built through the course of Shadow IT.”
5. The costs of fighting Shadow IT
Many IT leaders view Shadow IT as an “Us vs. Them” problem. The users are putting our data at risk and must be stopped!
As a result, they take countermeasures to limit the spread of Shadow IT. They block certain websites. They put limits on software features. They set up scanning software to spot Shadow IT.
Meanwhile, the users spend their time trying to bypass these restrictions. They think IT is just trying to get in their way, and seek out ways to avoid them.
The problem with treating Shadow IT as a battle: It’s costly, whether you recognize it or not.
It’s an efficiency drain on the IT department, as they’re constantly setting up countermeasures to stop Shadow IT. Also, as explained below, it’s an efficiency drain on the users, as many of these countermeasures create barriers in their day-to-day tasks.
“When central IT organizations try to stop Shadow IT, they spend a lot of time introducing barriers for other business units to use their own solutions,” says Ben Brearley, IT Project Manager and founder of ThoughtfulLeader.com. “They also spend time running around trying to spot instances of Shadow IT and shut it down or work with the business units. In some cases, they may even introduce technological hurdles that business units can’t overcome, such as disabling the use of spreadsheet macros or Access Databases throughout the organization. This can actually make business units less efficient than they would normally be as they try to get work done without access to some potentially useful tools.”
Here’s the big question: As an IT department, what can you do? If you know that users are practicing Shadow IT in your organization, what can you do besides fight it? While it’s a topic covered in this article, much of the answer boils down to a couple of important tips.
First, figure out why it’s happening. What are the users trying to accomplish that they can’t/don’t get from IT?
Second, give them controlled, self-service options to meet their needs. We’ve seen citizen development tools grow in popularity over the last few years–in large part as a response to Shadow IT. The IT department can provide users with self-service development tools, yet still control data and user access. It’s the best of both worlds. The users get what they want, and the IT department retains control.
While the list could certainly be longer, these are just 5 hidden costs of Shadow IT. Would you add anything to this list? If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.
If you enjoyed this article, sign up for email updates
We value your privacy. We will not spam you or share your email address with anyone. You're free to unsubscribe at any time.