How many times have you used Google Drive to share work documents quickly? How about WeTransfer? Or have you ever sent work documents to your personal e-mail to catch up on work at home? All of that (unless you’re authorized by your organization to use these services) is known as Shadow IT.
What is Shadow IT?
Shadow IT refers to IT systems or projects that are managed by someone other than the organization’s IT department. In many cases, the IT department doesn’t even know about employees using these systems.
Of course, it’s risky to use unvetted software as this can lead to data leaks and open a path to a hacker. It can be a potential personal data issue. It can also simply be against company policy or in violation of licensing agreements for certain applications. Nonetheless, studies have shown that an average company has over 20 times more applications running than IT departments are aware of.
The main risks of Shadow IT
Cybersecurity and back-up
Covid-19-induced acceleration of remote work has led to employees being somewhat lax about cybersecurity. Shadow IT might make business operations easier – and many companies certainly have been needing that in the last few months – but from the cybersecurity point of view, it also brings about more risks.
If your IT team doesn’t know about an app or a cloud system that you’re using in your work, they can’t be responsible for any consequences of such usage. This includes those impacting the infrastructure of the entire organization. The responsibility falls on you to ensure the security of your company’s data whilst using the Shadow IT app. Otherwise, your entire organization is at risk.
It’s also easy to lose your data if your Shadow IT systems don’t back stuff up. If they’re your only method of storage and something goes wrong, you could potentially lose all your valuable data.
Compliance
If you work in government, healthcare, banking, or another heavily regulated business, the chances are that you have local normative acts regulating your IT usage. It’s likely that your internal systems wouldn’t even allow you to access certain websites or apps.
If you do manage to access an unauthorized third-party service and, for example, share some personal data of your customers or employees with them, you could be in breach of the GDPR, the CCPA, or another piece of personal data regulation. If you don’t log data processing operations done by Shadow IT, it could be contrary to your internal compliance regulations.
Hidden Costs
Information on costs isn’t always shared between departments. For instance, if accounts process an invoice initiated by sales on third-party cloud software, it’s unlikely to tell IT about it. This results in unexpected IT expenses that can easily add up over time with license fees, additional phones outside the budget, additional laptops not in line with corporate policies, etc.
What are the benefits of Shadow IT?
It’s clear that employees want more flexible tools for work. With the emergence of remote work, answering e-mails on mobile and the like is no surprise. Whilst this poses some issues for work-life balance, it is our reality. It’s not all problematic, however.
Innovation
Not every company is ready to embrace new technologies right away. However, Shadow IT is already doing it, making the lives of employees and management easier. If an application hasn’t been approved by IT but is nonetheless working well by making it easier for businesses and even increasing the revenue and KPIs, it can only be a good thing. That’s where the age-old question of risk vs. reward comes in – the ever-so-prevalent balance of risk-averse departments like legal, IT, and finance and the trailblazers of sales and marketing. With certain exceptions, of course.
Engagement and initiative
When an employee finds a solution based on their own initiative, it’s a motivating factor. If, however, they’re stuck using the same tools all over again, they’re gonna fall behind because it would mean that the company isn’t introducing many innovations. For instance, a lawyer always has to juggle paper contracts instead of using DocuSign, they’ll get bogged down, and the business will slow down because wet signatures take time. That’s demotivating, especially during a global pandemic.
Generally, the concept of Shadow IT isn’t going anywhere. All IT departments can do is listen to what the employees have to say and manage the emerging threats to the best of their ability. You can watch a visual explanation of the Shadow IT concept by a McAffee expert below.
YouTube: Shadow IT 101
Photo credit: The feature image used has been taken by 卡晨.
Sources: Cisco blog / Evan Klein (ITProPortal) / Dan Lohrmann (GovTech) / ServerCentral White Paper
