April 14, 2020
It might sound like something out of crime drama, but Shadow IT is a common, everyday occurrence. And it has been happening in organizations (yours included) for decades. Within IT, Shadow IT can be a thorn in your side or a chance to make real business and process improvements. It’s all just how you look at it.
Shadow IT is both a risk and an opportunity and if you look at the intent behind what someone is playing out of bounds, you’ll learn something about how people work.
Shadow IT means when an IT or security department is kept in the dark when an employee or department makes a change to their hardware or software. It be departments installing their own software or an employee making unauthorized changes to their computer. Even employees using a new cloud service not approved by the company is Shadow IT. Anything people do outside of established policies or standard apps, is Shadow IT.
Shadow IT usually involves hardware and software, but it goes beyond that: your company’s BYOD policy can be officially unofficial Shadow IT too. When you allow people to use their own devices to connect to your network they could pose as much of a risk as installing software or hardware on a corporate desktop without permission. Any hardware, even old laptops that have been decommissioned or servers in a test environment, that finds its way onto your production network can be considered Shadow IT.
While there may be the odd employee who is intentionally malicious—the Equifax hack is a good example—most of the time Shadow IT isn’t malicious. People are trying to get their jobs done and see a solution that solves a problem for them, just that solution hasn’t been blessed by IT . Good intensions, but still a potential risk to the company.
Shadow IT presents four broad kinds of risk to a company:
There are financial penalties for having illegal licenses, but it doesn’t end there. Large software vendors conduct regular licensing audits looking for illegal copies and fraudulent licenses. If your company has illegal licenses, there are fines and penalties to contend with. The costs of getting caught are usually more than the cost of getting a legitimate license in the first place.
Licensing is just part of the cost puzzle. Say two separate departments buy licenses for the same tool, or very similar tools, the company could be wasting money by missing out on volume purchases and negotiating a better enterprise license. Centralizing license saves money and ensures there is good oversight over security and data security—more on that in a moment.
The best way for an IT organization to be successful is standardizing the tools it supports. Approving every app means not only keeping on top of licenses and supporting hundreds of apps, but also software and driver conflicts too. There is no practical way for any IT department to keep up to date on apps for a few users.
If your employees are installing software on their machines without a proper license—you could be in big trouble. And not for the (monetary) reason you’re probably thinking of first.
If an employee downloads a “cracked” version of Photoshop (for example)— a modified version that doesn’t require a license code to work—you can be almost certain your employee is getting Photoshop with a side of malware. Cracked versions of apps—especially expensive ones—have been tampered with by some person on the Internet. You don’t know what they did to it. You don’t know if they injected something else into the installer. Not to mention, the cracked version probably doesn’t call home to check for updates.
One person trying to save the company a few bucks, could unwittingly release a virus, ransomware, trojan horses, or network snooping tools into your company right under your nose.
We talked about security in terms of cracked apps, but there is another side of security people forget about—managing passwords and data. Imagine if people used Dropbox, Box, OneDrive, and iCloud to save and share files over the Internet. That means there could be myriad copies of sensitive documents all across the internet with little regard to access control or who might be sharing passwords. IT needs to keep company data secure and it can’t do that if employees are sharing files with people over an unrestricted number of services.
Finally there is the cost of lost productivity when little islands form around the company only able to share and communicate with a single department. For example, Marketing and Graphic Design start using Slack to collaborate, but so does Product Development—except they don’t share an account. Three departments, two Slack accounts, no sharing. Slack versus Teams or Asana versus Monday.com versus Jira. All create ways to collaborate, track work, and share documents—but they don’t talk to each other very well. How does someone in Marketing share something with Product Development and IT? Whose tool do you use? No matter what, someone is going to juggle (at least) two separate tools. Not the best way to stay focused at work.
Shadow IT starts with someone hitting a snag or having a little bit of frustration trying to get their job done. “It would be so much easier to share these huge files with the printer over Dropbox…” , “My team needs to get organized, I hear good things about Trello…” “I need this one pager done today and I can’t get any graphic design resources, I can do this in Canva” “I need Photoshop for this little graphic to post on social media, no way I’ll get approval to buy it, I’ll find a free version…just for this, what’s the risk?”
And Shadow IT is born.
People need to get something done and they either don’t know there is a corporate solution already or the red tape to go through official channels is too much trouble—or takes too long—to meet their deadline. No matter the rational, an employee felt it was easier to go around IT than to work with IT. Understanding why people are forging their own path is the first step to managing Shadow IT.
The focus of this article is to get companies to embrace the Shadow IT mindset, but not the shadow. You’ll never be able to stop it altogether. Shadow IT happens and will always happen. You don’t have to embrace it, but it’s critical you accept employees will do what they need to do to stay productive—even if it means flying in the face of IT policy. The question that needs to be answered is: How do you help people get their jobs done and keep your IT house in order? It’s the balance between rigidity following the rules and flexibility find new solutions to common tasks.
Take Dropbox, for example. You have a corporate account, so you have control over how and where documents can be shared. You set the security settings to prevent employees from sharing documents outside of the company. While this stops users signed in to the corporate account, what about the people that are using a free or personal Dropbox account? What if the CEO needs to share a document with outside legal counsel? That should be allowed, right? You have a trusted supplier for printing and graphic design, Marketing needs to share documents with them all the time. Asking permission to share documents over and over and over creates frustration and resentment. Suddenly people get fed up and use a personal Dropbox account instead.
Addressing issues like this are like the low-hanging fruit. Generally speaking, however, managing Shadow IT boils down to maintaining visibility of all these endpoints. Even if you don’t have policies in place, you can deploy software today to do all the monitoring of your environment. You can get a handle on all the cloud services used at the company—which might scare you—but it’s the essential first step to getting a handle on the situation.
Every organization has people from all different cultures, companies, and countries who have great ideas they bring to the table. Maybe they started in a garage in San Jose or from the unauthorized laptop of a user that ends up being a project or product that the company eventually puts into production. I’ve seen it over and over again. What you don’t want to do is squelch peoples’ creativity and thinking. The question becomes: how do you turn that energy into something positive for the company and not a disaster in the making?
It’s tough, because unless you’re going to create a totally sandboxed environment that’s safe for people to play around in (and I recommend this), you can’t completely stop Shadow IT. Shadow IT is the spark that could lead to something great—the first company websites were often Shadow IT projects—like finding a better tool for project management or CRM or document management. People faced with a problem will find solutions. Your challenge is to embrace creativity while having the right discussions with people to bring great ideas out of the shadows and into the whole company. No matter who you are or where you fit in your organization, with the right toolset you can have visibility and understand the risks.
Learn how Absolute Application Persistence helps organizations address pressing security concerns regarding application visibility and vulnerability by downloading our Application Persistence Whitepaper.
Share this article