Summary: A rapidly growing trend, “Shadow IT” is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in favor of third party solutions and services. However, stopping Shadow IT isn’t as easy as flipping a switch. In this article, we explore the steps you must take in order to prevent Shadow IT in your organization.
Shadow IT is not a new trend. But, it’s been steadily growing over the past few years–unbeknownst to many businesses. In fact, few business leaders realize just how prevalent it actually is.
How bad is it? According to one report, the use of Shadow IT is 15-20 times higher than CIOs predict.
In other words, if you think your company doesn’t have a Shadow IT problem…think again. By its very nature, Shadow IT grows without you realizing it. For all you know, it could be running rampant in your company.
Why is this so bad? I won’t get into all of details, because most businesses are probably well aware of the risks by now. When left uncontrolled, Shadow IT can open up your business to data privacy, compliance, and general security risks.
The big question: How do you prevent these problems? How can you control Shadow IT?
The answer: It’s complicated.
You see, preventing Shadow IT isn’t as easy as flipping a switch. It’s not exactly cut and dried. It’s a complex topic that you must handle with care.
So, what’s the answer? Today, let’s explore a few steps you must take to prevent Shadow IT in your organization.
1. Understand the problem
When business leaders first discover they have a Shadow IT problem, many respond with anger. After all, their users are bypassing the IT department. They’re creating security risks that could damage the company. This must be stopped!
The problem is, responding in this way won’t prevent Shadow IT (and may make it worse).
Because Shadow IT is a symptom of a larger problem: Why are users bypassing IT in the first place? Trying to stop Shadow IT without first answering that question is a lesson in futility.
“Before even attempting to put a stop to shadow IT, businesses must first ask themselves why their employees are so reluctant to use the technologies provided for them,” says Tom Pressley, the Director of Marketing at Fuze. “Fuze’s research shows that 48% of workers feel that their employers don’t provide adequate technologies, making their day-to-day work less effective. 69% also agree their workplace tech is behind that which they use within their personal lives. Given this disconnect, is it any wonder that employees are circumventing the IT department and using their own apps and devices?”
“Clearly, the problem for businesses is not stopping shadow IT, but rather identifying flaws within their own technology/communications infrastructure that are forcing employees to use their own personal alternatives.”
2. Engage the users
While Shadow IT may appear malicious, that’s generally not the case. Employees are just trying to get their job done in the most efficient way possible. Shadow IT often provides the simplest path.
The first step in Shadow IT prevention: Communication. Engage the users. Understand what tools they’re using, and what they’re trying to accomplish. Ask them why they’re not using the tools you’ve provided (assuming you’ve provided similar tools).
What’s the best way to go about this?
Start with a simple survey. You’d be surprised at how many unauthorized tools you’ll uncover, simply because the employees didn’t realize they were practicing Shadow IT.
“One successful idea is for IT to engage the users,” says Greg Kelley, EnCE, DFCP, CTO and Founder at Vestige Digital Investigations. “Find out from the users what it is about Shadow IT services that are making their lives easier. Then IT can see what they can implement or change so that the Shadow IT processes are no longer attractive. This effort is one of collaboration between IT, management and the users. Management needs to understand the issues with Shadow IT (namely, losing control of their data), encourage IT to look for solutions and enforce the company policies with the users.”
3. Eliminate bottlenecks with self-service options
One reason users turn to Shadow IT: To avoid bottlenecks. In their opinion, the IT department doesn’t deliver solutions fast enough. They put in a request to IT…and wait.
Here’s a common example: In many companies, reporting runs through the IT department. However, this process often takes days or weeks. Users eventually get tired of waiting, and find their own reporting solutions.
How can you eliminate these bottlenecks?
Offer controlled, self-service options. For example, you could create a portal with approved solutions that users can download and use when needed. This eliminates the approval process bottleneck, and lets them start using secure solutions immediately.
Or, another popular example: Offer self-service development platforms. These platforms let end users create their own custom solutions (like reports, dashboards, data lookups, etc…) without coding. Now, they obviously can’t replace all development efforts, as the IT department must still handle complex projects. But, as explained below, offloading these simple development tasks to the users will save time for all involved.
“One way IT departments are addressing the Consumerization of IT and the related problem of Shadow IT applications is by making “in-house” provided services easier to use,” says Kevin Coppins, General Manager of the Americas at EasyVista. “Repurposing enterprise-grade ITSM tools and their underlying ITIL best practices across the enterprise has been happening for years. Giving the actual business functions a code-less development platform to build and provision “Consumer Like” purposeful applications leveraging enterprise ITSM creates the win-win. Employees in governance-heavy enterprise environments now get the personalized service they need. The IT department becomes an enabler for change rather than a bottleneck to progress.”
4. Ensure Awareness
Another big reason for Shadow IT: Employees are unaware an authorized solution exists.
It’s a common problem. The end users don’t know where to find IT-authorized applications to meet their needs. Or, they don’t know such applications are even offered by their company. So, they find their own solutions.
Preventing Shadow IT often comes down to improving awareness. If your business has already licensed the tools your users need, make it painfully obvious. Make sure they understand what each tool is, what each one does, and where to get them.
What’s the best way to do this? As explained below, a simple document outlining common activities and the associated IT solution is all most companies will need.
“Ensure that all employees are aware of everything that it is currently available through or recommended by IT,” says Nic Grange, CTO of Retriever Communications. “It could be as simple as having a document with a table that lists all the common activities that employees might do, the respective IT solution and how/where an employee can access this. As an example, the activity might be to “share files between employees”, the solution might be to use Microsoft OneDrive and employees can access it through their laptop’s SOE or download the app onto their mobile device from the app store and use their existing Active Directory credentials.”
“They would need to also have a process where other activities can be added and even if there isn’t a clear solution yet, they should at least formulate some guidelines.”
5. Educate your users
Yet another big reason for Shadow IT: Ignorance. Employees aren’t aware of your Shadow IT policies, or of the risks associated with it.
As I mentioned earlier, users are just trying to do their job. They view Shadow IT as the fastest route. But, they don’t consider the security risks because they don’t realize the risks exist. Or, they don’t realize they’re breaking company policies because they don’t realize those policies exist.
As explained below, this is one of the common reasons why employees adopt Shadow IT in the first place. Setting up clear policies and educating your users about potential risks is a major step towards prevention.
“One of the biggest drivers for employees adopting Shadow IT is that they’re unaware that it is against company policy and unaware of the potential issues that it can cause,” says Dr. Markus Schumacher, CEO of Virtual Forge. “They say that the best offense is a good defense, and that saying really rings true for Shadow IT. CIOs need to ensure that employees understand what shadow IT is (including common examples) and how it should and shouldn’t be used. This policy should be easy to understand for employees that aren’t technologically savvy and it should clearly spell out the steps that employees should take if they are using Shadow IT and need to work with the IT department to get outside software approved.”
6. Provide a grace period
Okay, so let’s assume you understand what solutions the users need and have provided them with secure options. You’ve even ensured that all users know these options exist.
How do you move users away from the Shadow IT solutions they’re currently using?
As mentioned above, it starts with education. The next step: Remove the barriers. Make it easy for users to switch from their Shadow IT solution to an IT-authorized solution.
How can you do this? Offer a grace period. As explained below, giving employees the chance to come clean without any repercussions is a great way to alleviate fear.
“Employees often don’t even realize how their actions can impact security,” says Marcia Walker, Principal Consultant at SAS Institute. “An exercise like this can help educate them. Also, consider instituting an amnesty period – a time for users to come forward and declare unauthorized technology without negative consequences. This strategy alleviates fear and encourages transparency, so problems can be addressed in keeping with the company’s security strategy. What you don’t know can hurt you.”
7. Set up monitoring
Now, in a perfect world, the steps outlined above will do the trick. Once employees understand the risks and have access to viable alternatives, Shadow IT should disappear…right?
Unfortunately, we don’t live in a perfect world. You’ll likely have a few employees who will break the rules, and still practice Shadow IT.
What can you do? Set up systems to monitor network traffic and cloud usage. As explained below, new tools are emerging that make this process simpler.
“While cloud app adoption is swift, adoption of security solutions for cloud apps, known as Cloud Access Security Brokers (CASBs), has trailed behind,” says David Waugh, VP of Sales & Marketing, ManagedMethods. “Only 20% of enterprises currently use a CASB, but Gartner expects the figure to jump to 85% by 2020. A business’ IT department should have visibility into all cloud programs, apps, files, data and users. This visibility lets IT pros check that their team is using and sharing data on cloud apps securely and take action on unauthorized activity.
Gartner expects that by the end of this year, 35% of enterprise IT expenditure will go towards addressing Shadow IT/Shadow Data. Once you have visibility into Shadow IT/Shadow Data, you can make better technology decisions.”
Now, these are just 7 steps to help prevent Shadow IT, but the list could be longer. Would you add anything to this list? If so, feel free to share in the comments.