Shadow IT is an IT system (device, application, or software) that was bought or built without approval from the IT department. In some instances, shadow IT is relatively innocuous: for instance, an employee bringing in a USB drive to work from home. Shadow IT is often deployed to increase productivity, solve a workflow issue, or to provide education and training.
The term “shadow IT” may immediately conjure images of hackers using the dark web to steal your identity. And, while shadow IT isn’t quite so nefarious, this type of organizational risk still needs to be taken seriously.
Shadow IT is a common issue for many businesses. Gartner estimates that an average of 30-40% of the purchases in the enterprise involves shadow IT spending. And, by many accounts, shadow IT spending has dramatically increased as a result of the pandemic.
The risks of shadow IT can be mitigated through a three-pronged approach that requires employee training, IT monitoring, and streamlining procurement. While eliminating shadow IT altogether is virtually impossible, there are ways to make sure this hidden threat doesn’t derail your business completely.
Shadow IT is an IT system (device, application, or software) that was bought or built without approval from the IT department. In some instances, shadow IT is relatively innocuous: for instance, an employee bringing in a USB drive to work from home. Shadow IT is often deployed to increase productivity, solve a workflow issue, or to provide education and training.
Shadow IT can result from a variety of factors. Some users find it too time-consuming and bureaucratic to get the approvals they need to use a new IT tool or system, bypassing the process altogether. Other users find it difficult to use sanctioned applications due to system errors, slow connection, or another persistent issue. This poor functionality causes someone to find an alternative system to perform their role. It’s also likely that a user doesn’t understand the risk involved with using shadow IT, and may not realize they’re creating a vulnerability with their actions.
Shadow IT presents a serious security challenge, not to mention an example of maverick spend. According to Forbes Insights, “46% of IT leaders believe that direct purchasing of software-as-a-service, personal and business applications and other unsanctioned software by individuals and business units makes it impossible to protect all their organization’s data, systems, and applications all of the time.”
Shadow IT is bound to happen as an organization grows, brings in new talent, and develops capabilities to stay ahead of the competition. Responding to changing market demands often requires any business to move quickly: but, introducing shadow IT at will can introduce serious risks to the company.
Shadow IT introduces a number of risks into an organization that can quickly get out of hand. These risks include:
There are organizational costs to shadow IT spending, too. When employees use their own preferred tools over those procured by the product team, they create waste. Some shadow IT doesn’t integrate with existing systems, creating workflow issues as well as increasing costs to find a work-around or re-do work. And, shadow IT prevents procurement from taking advantage of volume discounts.
Unfortunately, 60% of organizations don’t even include shadow IT in their threat assessment. That’s what makes shadow IT so dangerous to organizations: like other types of rogue spend, it can eat the budget without anyone realizing how serious the problem truly is.
To some extent, shadow IT is unpreventable. New tools and software are released to the market all the time; and when most organizations run on more than 100 different applications, it’s inevitable that some will be unvetted.
Nevertheless, there are ways to reign in the use of shadow IT. Training employees on the risks of using shadow IT is a good first step. Employees must learn how to spot social engineering and be aware of insider threat, as well as understand how to secure their devices and data.
IT teams can also implement tools to protect against non-sanctioned IT. These tools include network monitoring, cloud services, data loss prevention, and restricted access to insecure third-party applications. A well-developed user identity and access management policy is needed to restrict access to valuable information and systems.
And, procurement teams can make it easier for users to procure sanctioned IT as needed. Create a smoothly running P2P system to discourage users from bringing their own IT to work. A tool like Fairmarkit automates laborious, repetitive tasks to streamline the process required to make a purchase.
For more advice on managing hidden threats and maverick spend, check out Fairmarkit’s blog, The Source.
If you are interested in learning more, please see additional resources below.