Of all the issues today's business leaders grapple with, there's one that tends to sit at the back of the room, quiet and unnoticed but carrying a ton of risk: the unauthorized use of apps and devices by employees, otherwise known as "Shadow IT".
You may have an IT policy telling employees not to download applications or software, but that policy typically goes in one ear and right out the other. Maybe they want to boost their productivity, or they prefer to work with an app they already know. So, they get a tool or service that meets their needs without telling anybody.
The employee may have the best of intentions: They want to work better and/or be more productive. They don’t see the harm in adding that app to their computer. Or they don’t think it’s a big deal to use their own device to complete their work. Maybe they want to be efficient, so they use a personal email account to conduct your business.
Any of these examples are part of Shadow IT, and it's extremely common. In a 2013 Frost & Sullivan survey, 80% of employees admitted to using non-approved software. Even 83% of IT workers themselves admitted to using non-vetted SaaS (Software as a Service) applications. Essentially, everyone's doing it, so what’s the big deal?
The dangers of Shadow IT
First off, if your business is in a regulated industry, Shadow IT can easily make you non-compliant. For example: sharing business data from a personal email account is a major no-no in the healthcare and finance/banking/accounting spaces.
It also undermines audit accountability. Say your company becomes part of a lawsuit for whatever reason. As part of the case, you need to pull email communications from the past year and so does the other side of the suit. If your employees are sending emails on behalf of your company using a personal email account, the audit won't show those emails, potentially denying your legal team of valuable proof.
It can also drive up IT costs. Some apps can conflict with other software when installed on a system. If an unapproved app is installed on a workstation and it begins to experience problems, it may take twice as long to troubleshoot the issue due to the unknown factor.
Shadow IT also makes it more difficult to manage vulnerabilities and security issues. Employees using third party apps or unapproved devices can inadvertently give a hacker access to your network, opening you up to a greater threat of a data breach or ransomware attack
How to deal with Shadow IT
It can be challenging to put a box around Shadow IT, especially if your company is larger with multiple employees. There is, however, a process to help deal with Shadow IT and, to a great extent, nullify it.
The first step in the process is finding out what technology is in use both in the office and off-site. This is somewhat more challenging now with people working from home due to COVID-19. A competent IT provider can help provide installed software lists on systems, but if employees are using other devices which the provider doesn't have control over, they're just as in-the-dark as you are. A survey of employees and all their devices can help gather information about unknowns.
Any sort of survey or fact-finding should be done with a light touch. Employees will often get defensive if they think you're trying to get them fired or in trouble. Approaching this in a more friendly "hey, we'd like to know how you stay so efficient" way as opposed to a "we need to know if you're using any unapproved software or devices" method will open up employees more to sharing things with you, even if they're not approved.
The next step is not to panic when you do discover unapproved tools, or device use. Instead, try to take advantage of the situation but looking at it and try to find out more information. Why is this app/tool being used? Why is the employee using their personal laptop for business use? In almost every case, there's some reason employees do what they do, so find out why and learn about potential steps you can take to improve their lives as well as every other employee's.
That said, security should also be looked at. An unapproved app or unknown device on the network can open up holes in your companies defenses. Due diligence should be done on the culprit as well as your network to determine what security risks are involved or may have been abused.
Take your time during the assessment phase and try to learn as much as you can about not only the culprits you find, but the problems employees are using them to solve. You'll often find more than one way to help your organization improve.
Once you've completed the assessment step, it's time to switch gears into delivery. Chances are you've found at least one or two things you can do to improve workflow or productivity. Now's the time to work on delivering those things in an official way to those who need them. For example, last year we worked with an organization and discovered their employees were using their own personal laptops for work purposes. After assessing the situation we discovered the reason was because the org had purchased cheap laptops for the employees to work from home on and these supplied laptops were not suitable for the job. Once the organization delivered more suitable laptops, employees were happy to keep their personal devices shut down while working.
Assessment and delivery is the way you take a potentially bad situation and turn it into one that works for you.
Finally, educate employees about acceptable use guidelines. Make sure your workers know what your policies are regarding things like use of personal devices or email accounts while at work. What software is and isn't approved and, most importantly, what steps to take if they do have reason to believe a particular tool, device or piece of software would be valuable to them and your company.
If you don't already do so, establish clear information classifications distinguishing between public, private, and confidential data. We call this a Sensitive Content Index. Illustrate not only what is important or classified but also why it is. This can help employees recognize what they should and should not be sharing.
Putting the spotlight on Shadow IT
Shadow IT is data or applications that are outside your business protection. You can only watch what you know about. Shadow IT is unsafe and unpredictable. But using a process like we've outlined above, you can make it work for you and bring it into the light.