Summary: A growing trend, “Shadow IT” is a term used to describe IT systems and solutions built and/or used inside organizations without the approval of the IT department. This could include anything from employees emailing spreadsheets back and forth to entire departments licensing third-party, cloud solutions behind IT’s back. The problem: Since Shadow IT usually happens on the sneak, IT departments don’t know where (or how much) it’s happening. Is Shadow IT lurking in your business? Read this article to learn the warning signs.
Like it or not, Shadow IT is probably alive and well in your organization. Recent surveys find that it’s not only growing, it’s far more rampant than business leaders realize.
What can you do about it? In past articles, we’ve explored a few ways to address and reduce risks of Shadow IT. We’ve looked at:
- Ways to prevent Shadow IT.
- How to reduce security risks of Shadow IT.
- The benefits of embracing Shadow IT.
That being said, there’s still a problem: You can’t address Shadow IT if you can’t see it. How do you know whether or not Shadow IT lurks in your company?
It’s a tricky question. After all, Shadow IT usually happens on the sneak. Generally speaking, IT departments don’t know where (or how much) it’s happening. This means they can’t monitor the spread of company data, and therefore–cannot secure any data involved in Shadow IT.
How can you figure out whether or not Shadow IT exists in your company? What signs should you look for? Today, let’s answer those questions. Here are 5 signs that Shadow IT lurks in your business.
1. Users talk about it
I hesitate to include this point because it seems obvious. But, I feel like it’s common enough (and important enough) to mention. Let me explain:
The fact is, many employees practice “Shadow IT” without realizing that it’s wrong. They either aren’t aware of, or don’t understand your corporate policies on the use of unauthorized hardware/software in the workplace.
Is this a problem in your business? Could users be unaware that they’re practicing Shadow IT. Ask yourself a few questions:
- “Do we have a clear Shadow IT policy?”
- “Have we communicated that policy to the end users?”
- “Does the IT department have open communication with the business users?”
Many businesses struggle in one of these key areas. As a result, users aren’t entirely sure when they are practicing Shadow IT. In some cases, they don’t even know that it’s wrong.
The first sign that Shadow IT lurks in your business is a simple one. Users will tell you about it. Of course, this means that your IT department must have open communication with end users. But, you’ll find that asking users what software they’re using is a great way to uncover Shadow IT.
“A very simple and practical way to discover shadow IT is to go ask the users,” says Oli Thordarson, President, CEO of Alvaka Networks, Inc. “This has the added benefit of getting IT staff out talking to users and learning more about their needs. The IT staff will learn a lot and the users will feel good that they are being asked and listened to.”
Besides talking to end users, what else should you do? First, create a clear Shadow IT policy. Second, communicate that policy with your employees, but keep the dialogue open. For instance, you could include a survey that asks employees which tools they use and what goals they’re trying to accomplish with those tools. Then you understand how to give employees secure alternatives to meet their needs.
2. Your help desk receives support requests for unknown software
As mentioned above, many employees don’t understand that they’re even participating in Shadow IT. Maybe they’re using software suggested by another employee, or maybe their department manager licensed a SaaS solution for his/her employees without mentioning that it’s an unapproved solution.
If this is the case, what will employees do when they run into an issue with that software? Contact the help desk.
Train your help desk on protocols for reporting Shadow IT. Make sure they keep track of any support requests for software that you don’t support. This is one of the easiest ways to watch for Shadow IT.
3. The requests/complaints stop
If you work in an IT department, you understand that business users make a lot of requests. They ask IT for support, new software, changes to existing software, and much more. In many businesses, the IT department is bombarded with requests.
While that may seem bad, let me ask you a question: What’s worse than constant requests/complaints from end users?
If end users that formerly requested solutions (or complained about their existing solutions) are now silent, that’s a red flag. Or, if your users have solutions that you know they don’t like, but they don’t complain about them anymore…that’s a red flag. Chances are, they’ve found other options.
“If a company’s I.T. department is always busy, always using ‘prioritization’ as a euphemism for ‘no’ and frequently pushes dates back or delivers lighter versions of what was originally agreed to, it is just a matter of time before innovation finds a way and starts creating shadow or stealth IT,” says Terence Channon, Principal at NewLead, LLC. “If your organization is enduring any of these challenges, then shadow IT is likely right around the corner. If the ‘nos’ and ‘re-prioritization’ suddenly stops and the product owners that once fought tooth and nail but were continually put on hold are now quiet, shadow IT is already there.”
What should you do if you notice this in your business? The answer here isn’t to stomp out unauthorized software use. Rather, give employees the tools needed to perform these common actions. If employees complain, take it seriously. Look at the bright side–at least they’re communicating with you. When they stop communicating, they’ve taken matters into their own hands.
4. You see new security alerts
When employees purchase and use third-party software without IT’s knowledge, they can (unknowingly) create security risks.
For example, they might choose software that isn’t secure. Or, they might store company data in places that are easily accessible to hackers. Or, maybe they just have bad password habits. Whatever the reason, the use of Shadow IT can open up your company to new security risks.
If Shadow IT is running rampant in your company, you’ll probably notice new threats or security alerts in your security software. Keep a close eye on new security threats–as they can be a sign that Shadow IT exists in your business.
“You seem to have inexplicable alerts on viruses and malware that many times, you have not seen before,” says Anthony R. Howard, Bestselling Author and IT Consultant. “You get hit with ransomware (where a hacker seizes and encrypts your data so you can not access it, then charges you an enormous fee to get access to it again. It causes issues with downtime as shadow IT usually does not get backed up reliably so if there is a large failure, data is lost with no way of recovering it.”
5. You notice changes in expense reports and departmental budgets
Most SaaS providers offer free versions of their software, which accounts for the large majority of Shadow IT use. However, as Shadow IT grows within a company, money comes into play. When single employees use outside, paid services, they’ll likely expense the cost. Keep an eye out for software charges on expense reports.
However, when whole departments practice Shadow IT on a large scale, you’ll find significant shifts in budget. After all, some of those services come with high price tags, and these departments must get creative with their budgets to make things work. You’ll find that periodic reviews of departmental budgets will uncover areas that are being used to finance Shadow IT.
“Businesses can choose to audit the operational expenditure of various departments with the aim of identifying potential “Shadow IT” items,” explains Nic Grange, CTO of Retriever Communications. “These can come in the form of SaaS charges which are usually per user per month.”
While the list could certainly be longer, these are just 5 signs that Shadow IT exists in your business. Would you add anything to this list? If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.