the term Shadow IT has been hailed as an efficient approach to cloud-based productivity and criticized as the number one security threat facing modern businesses. But what does that mean specifically?
Implementing shadow IT
At its simplest, shadow IT refers to the process of using IT systems, devices, software, and services without IT oversight and often contrary to official IT policy. Shadow IT, at its most complex, is the collection of informal policies, practices, and workarounds that office culture uses to get past the IT department.
How shadow IT works
In a best-case scenario, shadow IT practices can make employees more productive, allowing them to keep working while cutting out non-essential hands. They can avoid complicated security and approval procedures like sitting down and filling out forms explaining why something is needed instead of just doing it. It reminds me of a good part of startup mentality and the kind of unregulated environment that has produced many of the great triumphs of our time.
However, most companies, even medium-sized companies, seek to eliminate these unregulated practices for very specific reasons. Bypassing a policy always carries some risk, unless the policy is actually not fit for purpose.
No, if shadow IT practices are good for business, then it could be argued that companies need to completely rewrite their official IT policies. Similarly, if your shadow IT practices actually cause more problems than they do, your IT policies are probably sound. The difficulty is in the gray area – it always is. Most of the time, things aren’t black and white, it’s a battle of perspectives.
What is the purpose of shadow IT and is it bad for business?
The goal of shadow IT is to cut corners. Most employees who admit to using shadow IT say they use it to be more efficient at work. RSA research found that even 11 years ago, more than 1 in 3 employees thought their company’s security policies needed to be addressed in order to fulfill their expected role.
Perhaps the approved, safe and secure file-sharing apps perform poorly when compared to the latest, greatest, and most questionable file-sharing apps. Some employees will start using new apps. If it causes an immediate problem, IT usually steps in to stop the problem. If the new app works really well, it could slowly become the system everyone uses, despite the policies. It has become part of the organization’s shadow IT.
If the majority of a department’s employees are young, highly intelligent, highly motivated, and/or foolishly confident in their talents… well, the rules are for others. The idea of being for is likely to become part of the culture.
Could this kind of culture be bad for your business? Absolutely. Suppose your file-sharing app has a subtle flaw. It’s not a trojan for hackers or anything like that, but it does store traffic logs somewhere in the cloud on his server.
Perhaps that server is not secure enough. Perhaps anyone who really wants access will have access to all the information that the most tech-savvy employees message each other. Suppose they can use it to hack the system or sabotage business in some way.
Maybe it was the right choice for IT to stick with boring, outdated, and secure file-sharing apps.
Explore the benefits of Shadow IT
On the other hand, sometimes you can get away with it. In some cases, an employee needs a new solution to a problem immediately and he can’t wait two weeks for IT to determine if it’s as secure as the provider claims. In some cases, the cowboy approach can get a prototype service up and running in days and generate significant sales. All the care and diligence can be done later before going into production.
Sometimes IT departments really need to step back and allow a few sloppiness in non-critical areas. Even the best managers know when to turn a blind eye to policies that are being circumvented.
The risks of using shadow IT in the workplace
Simply put, rules exist for a reason. Cutting corners puts the company at risk. It might be easy to clean as it’s a small risk. But it may be very unlikely that it will destroy everything. If that happens, all we want to know is why we didn’t put in place the policies that could have prevented this disaster.
Most companies don’t want employees to decide for themselves which risks are serious and which are minor. That is why the IT policy was first devised. Allows you to avoid risks.
How to mitigate the risks associated with shadow IT
The best way to maximize the benefits of shadow IT without exposing your company to the worst possible risks is to make sure your IT department is lighthearted. Not velvet gloves hiding your iron fist, actual light hand. If IT people aren’t seen as fun police, they’re more likely to be included in what they actually do.
summary
Shadow IT isn’t all bad. It’s most dangerous when employees keep it a secret from their IT department. If employees hired because they can spot dangerous IT risks far more reliably than anyone else in the office can see what’s really going on, they can do what they do best: shut down systems. much more likely to work. The really bad ones – while continuing to cut corners that are actually harmless.