What Is Shadow IT? (Definition, Risks, Solutions)
Are you waiting for IT support? Still waiting? Tempted to find your own solution? We understand, but, please…don’t take matters into your own hands.
We understand that it can be frustrating to wait for IT service.
We know all you want is for your IT equipment to operate as you expect. We know you are in a hurry and you just want to find a fast solution to your issue. We know you need your device to get your work done. We also know it can be tempting to just go out and buy a printer or device and plug it into the network. Again….please don’t do it!
As manager of information security and compliance at Kelser, an IT service provider, I’ll explain the practice of plugging in unauthorized IT equipment, known as “Shadow IT,” explore why people resort to it, define the risks associated, and offer some practical solutions to prevent it from taking over at your business.
What Is Shadow IT?
Shadow IT refers to IT solutions that are implemented without the knowledge and support of an organization’s official IT provider.
Shadow IT can be anything from an app to hardware or software. The thing that makes it “shadow” (or potentially “shady”) is that it operates without the knowledge of the official IT entity.
Why Do People Resort To Shadow IT?
In most cases, shadow IT is innocent and evolves from a place of frustration. Users find the internal IT support organization unresponsive, ineffective, and slow, so they take it upon themselves to solve their own problems. These user solutions may be more immediate, but may also unwittingly open a Pandora’s Box of security issues.
What Are The Risks Of Shadow IT?
There are many risks of shadow IT. Here are three:
1. Updates and Patches
Because shadow IT operates outside of the traditional IT support structure, there may be updates and patches that aren’t automatically installed, leaving it to the purchaser or owner of the equipment to keep it up to date. Since updates and patches are often offered in response to security threats, this could leave your entire network open to security issues.
Shadow IT operates outside the inherent safety umbrella that surrounds “official” IT solutions. It’s often said that “you can’t protect what you can’t see” (or what you don’t know you have), so whether the user knows it or not, their “quick-fix” solution could provide a loophole in your security framework that provides a means of entrance for a person with bad intentions.
Your most critical or proprietary data could be at risk too. If someone is using an external hard drive that isn’t authorized and controlled, you have the potential to lose control of your data.
Depending on the solution, shadow IT could mean you are not in compliance with contractual requirements.
For example, some government contracts prohibit the use of devices from certain suppliers or countries. If someone is using an unauthorized device on your network, compliance with your contract may be in jeopardy.
Additionally, most compliance frameworks have a requirement to maintain accurate hardware and software inventories. Since shadow IT prevents you from knowing what’s in use in your operational environment, it inhibits your ability to keep an accurate inventory, which also impacts your ability to secure your environment effectively.
How to Find Shadow IT
One way to find shadow IT is to track the path of your organization’s computer traffic. If you see things going to unknown or unsecured sources, that could indicate an issue.
Another option could be to send out a survey and find out how people access data, what devices they use, and what apps they use to get their jobs done. Are there apps that are currently used without the support of your IT organization that could be standardized and added to your offerings or do you already offer a similar product? Communicate the options.
Finally, especially for smaller companies, simply walking around and looking at your IT equipment can help. People who implement shadow IT generally don’t make efforts to hide what they’re doing, so it can sometimes be relatively easy to spot non-standard hardware or network cabling that looks like it was connected haphazardly.
What To Do About Shadow IT
The best way to prevent and mitigate damage from shadow IT is to develop specific policies and communicate expectations. Most instances of shadow IT aren’t done with malicious intent but instead with efficiency in mind. People need a solution and they decide to get creative.
In your policies explain the expectations and the reasons. Have lunchtime meetings to engage employees in conversation about what apps they use and why even a simple solution that is implemented outside the IT organization poses risks.
Shadow IT is a problem for organizations of all sizes and the only way to change the narrative is through a well-documented and rigorous change management process that includes parameters, explanations, and oversight.
Where Do You Go From Here?
Now you know what shadow IT is and some of the risks associated with it (updates and patches, security, and compliance). You also have a few ideas of how to identify it (tracking computer traffic and surveying users).
We’ve explored the benefits of implementing specific policies and communicating expectations.
The next step is to figure out your strategy.
- How will your organization go about identifying shadow IT?
- Once identified, what solutions will you put in place to provide the services your users need while eliminating their reliance on shadow IT?
- What are your expectations of employees regarding shadow IT?
- How will you communicate employee expectations?
- What policies will you put in place to limit your organization’s exposure to shadow IT?
- How will you communicate those policies?
- Should shadow IT education be incorporated into your onboarding process or your cybersecurity awareness training?
- How else can you educate employees about the risks of shadow IT?
Every organization may have different risks and opportunities. The important thing is to be aware of the possibility that shadow IT exists within your organization and to be on the lookout for the signs so that you can respond quickly and effectively.
You may have the IT resources you need in-house to identify and mitigate shadow IT. If not, you might need help from an outside IT provider.
As an IT provider, Kelser Corporation helps organizations like yours ensure that their IT infrastructure is safe, available, and efficient. We provide managed IT services and project work to support all of the IT needs of our customers.
We may not be the right fit for your organization, but whether you work with us, another provider, or can handle things yourself, we believe we should provide the information you need to keep your organization safe and operating at peak efficiency.
Heard that managed IT is expensive? Find out the real story in this article: How Much Does Managed IT Cost? What’s Usually Included?