Shadow IT

The term “shadow IT” may immediately conjure images of hackers using the dark web to steal your identity. And, while shadow IT isn’t quite so nefarious, this type of organizational risk still needs to be taken seriously. 

Shadow IT is a common issue for many businesses. Gartner estimates that an average of 30-40% of the purchases in the enterprise involves shadow IT spending. And, by many accounts, shadow IT spending has dramatically increased as a result of the pandemic. ​

The risks of shadow IT can be mitigated through a three-pronged approach that requires employee training, IT monitoring, and streamlining procurement. While eliminating shadow IT altogether is virtually impossible, there are ways to make sure this hidden threat doesn’t derail your business completely. 

What is shadow IT?

Shadow IT is an IT system (device, application, or software) that was bought or built without approval from the IT department. In some instances, shadow IT is relatively innocuous: for instance, an employee bringing in a USB drive to work from home. Shadow IT is often deployed to increase productivity, solve a workflow issue, or to provide education and training. 

Shadow IT can result from a variety of factors. Some users find it too time-consuming and bureaucratic to get the approvals they need to use a new IT tool or system, bypassing the process altogether. Other users find it difficult to use sanctioned applications due to system errors, slow connection, or another persistent issue. This poor functionality causes someone to find an alternative system to perform their role. It’s also likely that a user doesn’t understand the risk involved with using shadow IT, and may not realize they’re creating a vulnerability with their actions. 

Shadow IT presents a serious security challenge, not to mention an example of maverick spend. According to Forbes Insights, “46% of IT leaders believe that direct purchasing of software-as-a-service, personal and business applications and other unsanctioned software by individuals and business units makes it impossible to protect all their organization’s data, systems, and applications all of the time.”

Shadow IT is bound to happen as an organization grows, brings in new talent, and develops capabilities to stay ahead of the competition. Responding to changing market demands often requires any business to move quickly: but, introducing shadow IT at will can introduce serious risks to the company. 

The risks of shadow IT

Shadow IT introduces a number of risks into an organization that can quickly get out of hand. These risks include:

• Lack of visibility and control: IT teams who are not aware of every tool or software in use can no longer monitor and manage security effectively. 
• System inefficiencies: Storing and using data on multiple devices and systems is inefficient and prevents IT teams from optimizing capacity, system architecture, security, and performance.
• Non-compliance: For organizations that must comply with HIPAA and other regulations, shadow IT creates additional audit points where proof of compliance must be expanded. 
• Higher costs: Shadow IT can become integral to running business operations, but the cost incurred to continue using the service has been unvetted and can be too expensive in comparison to other vendors. 
• Security challenges: Shadow IT tends to be less secure than IT managed and monitored by the organization’s experts. It also opens new attack vectors for hackers to exploit. 
• Loss of data: Siloed shadow IT can prevent data from being shared transparently across individuals and teams. For instance, data saved in an employee’s personal Dropbox account will be lost if that person leaves the organization. 
  

There are organizational costs to shadow IT spending, too. When employees use their own preferred tools over those procured by the product team, they create waste. Some shadow IT doesn’t integrate with existing systems, creating workflow issues as well as increasing costs to find a work-around or re-do work. And, shadow IT prevents procurement from taking advantage of volume discounts. 

Unfortunately, 60% of organizations don’t even include shadow IT in their threat assessment. That’s what makes shadow IT so dangerous to organizations: like other types of rogue spend, it can eat the budget without anyone realizing how serious the problem truly is. 

How to reign in shadow IT

To some extent, shadow IT is unpreventable. New tools and software are released to the market all the time; and when most organizations run on more than 100 different applications, it’s inevitable that some will be unvetted. 

Nevertheless, there are ways to reign in the use of shadow IT. Training employees on the risks of using shadow IT is a good first step. Employees must learn how to spot social engineering and be aware of insider threat, as well as understand how to secure their devices and data. 

IT teams can also implement tools to protect against non-sanctioned IT. These tools include network monitoring, cloud services, data loss prevention, and restricted access to insecure third-party applications. A well-developed user identity and access management policy is needed to restrict access to valuable information and systems. 

And, procurement teams can make it easier for users to procure sanctioned IT as needed. Create a smoothly running P2P system to discourage users from bringing their own IT to work. A tool like Fairmarkit automates laborious, repetitive tasks to streamline the process required to make a purchase. 

For more advice on managing hidden threats and maverick spend, check out Fairmarkit’s blog, The Source.