Finding Your Shadow: Can Shadow IT Be Controlled?

The notion of shadow IT as risky business can be instilled in IT strategy. Shadow IT emerges when departments or employees use software, hardware or applications without the knowledge or oversight of the IT department. By adopting this tech, these departments or individuals become dependent on such tools, unbeknownst to the IT team. 

It’s been around for a long time but has become increasingly common with the rise in consumer knowledge of tech and the number of cloud services -- and now generative AI tools -- available. On top of this, vendors have made it easier for users to gain access to their services by purposely subverting IT teams. In the past, for example, employees always required an admin to install an application. However, vendors have streamlined this process by installing applications into user-controlled areas. 

Just like how plants and trees can grow wildly without proper management, unauthorised IT systems can proliferate, creating a tangled mess that’s hard to control. Gartner has predicted that by 2027, three quarters of employees “will acquire, modify or create technology outside IT’s visibility -- up from 41% in 2022”. 

So, how do you approach the seemingly impossible task of maintaining unmanaged assets and resources without disrupting the whole business ecosystem?  

Related:The Importance of Empowering CFOs Against Cyber Threats

The Risks of Shadow IT  

The main danger of shadow IT is that it is an unmanaged risk -- and IT can’t mitigate threats they don’t know about. 

Unmanaged personal devices like smartphones, laptops and wearables, which employees use on the enterprise network but fall outside of a company’s bring your own device (BYOD) policy, are common instances of shadow IT. These can make the network vulnerable to potential breaches like bad actors spreading malware or ransomware.  

More covertly, these security gaps can extend to ‘out-of-sight’ cloud services. For example, sensitive business data may be stored on personal cloud accounts without the necessary encryption or multi-factor authentication that might be used on managed servers. This means the business is vulnerable to data breaches and cyberattacks, creating critical risks that IT aren’t even aware of. 

Any unauthorized third-party software in use may also breach company data protection standards and quality assurance. Users without the necessary skill and training won’t be able to effectively configure and secure such tools.  

Operationally, shadow IT creates lots of data silos and restricts data sharing. As IT doesn’t have a bird’s eye view of operations, they can’t control or secure these systems, spot inconsistencies, and effectively manage overall resources and costs.  

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

The Benefits of Securing Your Shadow  

Shadow IT usually emerges from users not being able to get the services or functionality they need through managed assets and resources. They might not have enough cloud storage space and so use a personal account or use external third-party software as the ‘approved’ software doesn’t give them the capabilities they require. 

Therefore, despite the embedded risks of shadow IT, companies shouldn’t look to eradicate these applications. Instead, IT can either offer efficient ways of transferring data onto secure systems or transfer applications onto managed servers without changing the applications themselves, akin to pulling the rug from under your feet. 

Through this method, they can deliver faster tech, more efficiency and better security while needing less training for staff and lower costs. Crucially, this transition brings very little operational disruption. 

Managing Your Shadow  

Securing your shadow is just the start -- managing it is an ongoing activity. 

Creating an open dialogue with employees that encourages them to report any unmanaged applications gives IT visibility. Establishing robust BYOD policies is another way to keep on top of your shadow.  

Related:Facing the Specter of Cyber Threats During the Holidays

It’s also worth IT interrogating training processes and knowledge sources. How aware are staff of the risks of shadow IT? Where do employees go to remedy tech issues? Often search engines are the first port of call, with Large Language Models becoming increasingly popular. And it’s not just about reporting devices and training, but ensuring there is a regular flow of feedback from staff about any issues they are having with current systems or extra functionalities they might need.  

Instead of reprimanding staff for using unmanaged software, companies should enact an open and constructive approach to shadow IT, one that learns from why users have needed to use such tools. That way, IT can manage standards and improve operations -- and that leaves less chance of the shadow growing uncontrolled.  

Controlling Your Shadow  

When companies begin to migrate their technology, they can discover they have a large amount of shadow IT that stretches way beyond what is visible and managed. These applications are connected under the surface and are business critical. If you remove the roots, the tree can no longer survive. And if you remove a tree, you impact the whole forest.  At the same time, from data breaches to lack of visibility, the risks of shadow IT are aplenty.  

Faced with this dilemma, companies need to prioritize a strategy that enables these applications to run on managed servers, creating secure environments with little operational disruption. With a positive approach to shadow IT, risks can be controlled and innovation promoted and encouraged.