Conquering Shadow IT

Whether used professionally, socially, educationally or at home, technology is touching every part of our daily lives, and the days when people only had a computer at work are long gone.
Read time 11min 20sec
Anna Collard, MD of KnowBe4 Africa.
Anna Collard, MD of KnowBe4 Africa.

Today’s digital age is one where employees from all levels are far more engaged with technology. Everyone is walking around with connected devices in their hands or on their wrists. Employees are infinitely more tech-savvy, and IT personnel are no longer the only people with the knowledge to meaningfully use technology.

So says Riaan de Bruyn, head of Enterprise Architecture, Internal and BI at e4, adding that application design has focused on the user experience and became much more intuitive for everyone to use, and, therefore, Shadow IT, or technology that employees use without approval or sanction from the IT department, is unavoidable.

Shadow IT can include free apps or SaaS-based solutions and tools, adds Yash Pillay, sales engineer at Trend Micro Sub-Saharan Africa. “Usually, employees turn to unapproved IT solutions because an organisation’s IT solutions are complicated and cumbersome to work with, so they find new technologies and solutions that help them do their job faster and get better results. IT is often completely unaware that these applications or tools are being used.”

Shadow IT arrives simply because there is a need for it, says Jonathan Ryall, senior advisor, Field Marketing at Dell Technologies. Many reasons can lead to this, including: constrained IT resources, slow decision-making and implementation around IT projects, and not taking user requirements and experiences into account. For example, a service such as Dropbox became popular because most businesses didn’t offer reliable and easy-to-use file-sharing spaces for their employees, or thought what they had was good enough.

Anna Collard, MD of KnowBe4 Africa, adds that Shadow IT is nothing new. “A famous example of Shadow IT gone wrong is Hillary Clinton’s disastrous decision to set up her own email server. It’s a classic example of someone using their own resources to get something done, but one that was fundamentally unsound from a security perspective, as it led to classified information being stored on a server that wasn’t government-approved, and had a number of serious vulnerabilities. Regular employees may want access to a piece of software or tools, but aren’t aware of the consequences of installing them on corporate machines. Many employees also aren't even sure who to ask to get something approved. The issue has been compounded by the use of mobile devices, which are often just a personal device such as an iPhone or iPad, but are used to process company information. It's a form of insider threat, maybe not in the conventional sense in terms of being malicious. Often it's non-malicious but can have an impact.”

Uncontrolled access

Unfortunately, Shadow IT poses several risks. Firstly, financial, says Pillay. “One of the benefits that cloud computing has brought to IT is the pay-as-you-go pricing model. It’s also one of the significant offenders of Shadow IT. These days, instead of acquiring technology solutions through official channels, almost anyone can pay for these solutions using a company credit card as an out-of-pocket expense. The consequence is that controlling IT expenses becomes a nightmare and tracking collected IT expenses becomes near impossible. These IT expenses are often done without the involvement of the IT department, which means actual IT costs can very quickly add up.

Next, Pillay cites security risks. “Malware and ransomware are some of the biggest threats that come with Shadow IT. It opens networks to unapproved and uncontrolled access. Then there are the risks associated with unpatched vulnerabilities and errors. Software vendors usually release new patches to resolve vulnerabilities and fix errors found in their products, but when it comes to Shadow IT, administrators don’t have the benefit of applying new patches in a timely manner. Administrators are unable to keep products and devices up to date that they don't know are used in an environment. Compliance issues are another risk factor, as regulatory compliance is critical for many organisations. For regulated businesses, the use of Shadow IT can lead to hefty fines for violating compliance requirements.”

In terms of productivity, Pillay says that although boosting efficiency is one of the reasons why many people start using Shadow IT in the first place, the chances are high that the result will be the opposite. Further, it cannibalises IT resources, as every new technology needs to be checked and tested by the IT team before being implemented in the corporate infrastructure. It’s a drain on resources, but it is necessary to ensure that new software works correctly and that there are no software and hardware conflicts or serious failures.”

Although boosting efficiency is one of the reasons why many people start using Shadow IT in the first place, the chances are high that the result will be the opposite.

Yash Pillay, Trend Micro Sub-Saharan Africa

There are also risks in terms of data management, adds Collard. “Try telling your employees what they can and cannot do with their own personal property, and let me know how that goes. In some cases, mobile device management (MDM) can be used to isolate personal and business data on employees’ personal devices, but this is often imperfect or impractical. In these situations, the ability to control applications installed on these machines is extremely limited, which certainly opens organisations up to some risk. This risk is exacerbated when the individual uses third party app stores or has a jailbroken device. This removes a considerable amount of the security available to mobile devices when they are limited to installing apps only from official stores. In addition, when an employee leaves a company, there’s no way to ensure that they aren’t taking your client information with them. If the information is in their personal cloud tools or on their personal devices, it can be challenging to ensure that the pertinent data has been deleted.”

Resource problems

Ryall says Shadow IT can undermine security by not following the right policies, and the same applies to any regulatory requirements. “This has a direct impact on data management, which should be handled and categorised according to the company’s data strategy. In terms of collaboration, there isn’t necessarily a direct risk. If anything, Shadow IT systems can appear because other parts of the IT estate are too rigid or not responding quickly enough to business needs. Instead, the risk to collaboration is, once a workforce has gotten used to a collaborative Shadow IT application, will it be easy to do the same within the company’s security and regulatory frameworks? Resources are tricky. On the one hand, Gartner says companies spend between 30% and 40% of their IT budgets on Shadow IT. But Shadow IT is also a response to constrained IT resources. So it can be both a contributor and reaction to resource problems.”

However, no risk should be ignored or be left unmanaged, says De Bruyn, so understanding that Shadow IT is unavoidable poses the question of what the most effective way of managing it is. “Organisations should focus on areas such as employee education and behaviour-monitoring. It has long been known in the security community that one of the most effective defence mechanisms against security attacks are awareness, training and education. These principles should also be employed to manage the risks Shadow IT presents. It’s also viable for organisations to make use of insider thread detection tools to detect unwanted employee behaviour, whether accidental or malicious. Further to this, organisations should review their access management, data encryption and data loss prevention policies to ensure sensitive information like personal data is sufficiently protected against threats Shadow IT might pose.”

To manage Shadow IT, you have to look at why it exists and how it meets user needs, talk to the users to understand their problems, and check if your IT department has the resources and streamlined processes to deliver on those expectations, adds Ryall. “You should also implement policies to guide the consideration and introduction of new technologies into the business.”

Collard believes Shadow IT is a culture issue. “It highlights that IT (maybe even security teams) are disconnected from the needs of the users. Users often only turn to Shadow IT because they want to be efficient in their jobs and their current tools are too cumbersome or don't allow them to do that. So, rather than blaming users, it should be taken as an opportunity to learn what they need to do their jobs better and facilitate that in a secure manner. Bring the users into the fold and help them make better risk decisions.”

A sign of other problems

So can it be prevented without stifling innovation and creativity? De Bruyn says no. “To think it can be prevented or blocked is a bit naive; it certainly stifles innovation and creativity. It could be seen by many, especially younger employees of the millennial generation, as prohibitive and lead to them seeking employment opportunities where they can express themselves more freely. An organisation’s approach to Shadow IT should not be on how to block or prevent it, but rather, how to safely and securely embrace it to improve existing processes or systems, leverage it for new business opportunities or even for their employees to have a better workplace experience and as a talent retention strategy.

Ryall agrees that preventing Shadow IT is an unadvisable approach, but has a different take on what it's about. “Many CIOs have started looking at Shadow IT to better understand their users and their needs. Shadow IT is not about innovation or creativity. It’s mainly attractive because it offers quicker ways to get certain things done. Most Shadow IT is aimed at everyday tasks and processes inside a business. If people need it to do their jobs, then it’s likely the business already has an innovation and creativity problem due to lacking resources or short-sighted leadership. Shadow IT is a symptom of other problems. It’s only different because it wasn’t approved and didn’t follow the proper routes to be introduced. That can be fixed with policies, but first, you need to understand that Shadow IT isn’t the problem, but a sign of other problems.”

If people need Shadow IT to do their jobs, then it’s likely the business already has an innovation and creativity problem due to lacking resources or short-sighted leadership.

Jonathan Ryall, Dell

Ryall says many technology leaders are now looking at Shadow IT instances to see where they can improve their IT delivery. Shadow IT was much more taboo when the cloud wasn’t as widely used, but that has changed and so have attitudes towards Shadow IT. It’s also been a problem longer than we think: many companies fail to unify IT estates after mergers and acquisitions. That also created types of Shadow IT, where administrators didn’t know of all the systems, and those systems don’t all conform to security and regulatory policies. More positive attitudes towards the cloud have also led to similar feelings about Shadow IT. It’s sometimes easier to get Shadow IT into the formal control of the company than to reinvent the wheel with a new, yet similar solution. To do this, though, a company must establish policies on how to introduce new technology. Such policies can govern existing Shadow IT instances and help avoid new ones by formalising their introduction pipeline.

If you can’t beat them, join them, adds Collard. “Here’s why IT departments are fighting an uphill battle: most consumer-grade SaaS products are good. They look nice, work well, and are really easy to use. These are products people want to use.”

Is there an opportunity? Can Shadow IT be embraced and harnessed effectively?

If IT departments truly want to reduce the prevalence of Shadow IT systems, they should consider the user experience when it comes to procurement and maintenance. Organisations need to educate employees on the risks involved with Shadow IT operations. In addition, organisations should, whenever possible, provide devices for employees to work on that do have an MDM component and controls around the installation of unapproved software.

“While this is a hindrance, organisations can reduce the impact by having clear channels to request specific software and a support staff that can help the employees work through limitations they feel they face with the approved software. Perhaps more importantly, they should consider Shadow IT users not as rogues, but as people invested in the organisation, and looking for better and more efficient ways to do their job. Their thoughts and concerns should be listened to, and the appropriate level of risk taken on,” she says.

Login with