Unapproved apps, devices, and cloud services have long been the bane of IT professionals. Remote and hybrid work arrangements that have grown in popularity during the COVID-19 pandemic have only made these “shadow IT” services more of a problem. But, just as hybrid work environments aren’t going away any time soon, neither are the threats posed by shadow IT.
Are you worried about shadow IT in the environments you manage? Keep reading for everything you need to know about shadow IT, including what forms it can take, the specific risks it poses and different ways you can combat it.
Shadow IT is uncontrolled IT
Shadow IT is the shorthand term for all devices, applications, cloud services and other unauthorized technology used within an organization. If it connects to corporate IT resources, carries corporate data, or just sits on your corporate network beyond the control of your IT department or MSP, then it counts as shadow IT.
You may recognize this is a widespread problem, but one with a small impact. That is incorrect. Studies have shown that as much as 40% of all corporate IT spending is on shadow IT—purchases made for IT resources without the involvement or knowledge of the corporate IT department.
In recent years, it has become such a problem that many companies are accelerating their digital transformation timetables to get ahead of it. The thinking is that if the entire IT environment moves to the cloud, there’s less space for on-premises shadow systems.
While the only common trait among all shadow IT is that it is uncontrolled and unmanaged, in practice, MSPs usually see one of four main types of shadow systems.
Productivity apps and services
People like what’s familiar. Employees will often use personal accounts on their preferred productivity apps at work because they’re more comfortable with them than with approved corporate systems.
Similarly, employees often like using personal storage and file-sharing accounts to move work files quickly. In a recent survey conducted by G2, 83% of IT professionals reported that their employees stored company data on unapproved cloud services. They may see more secure, approved corporate services as too cumbersome or too confusing.
Beyond file and app use, communication is the most common function for which employees use personal or shadow services. If they’re connected to coworkers on a personal messaging service, then that communication probably isn’t going to stick to purely personal topics. They may use those insecure channels to discuss company information.
The majority of workers maintain both personal and work email accounts. If they have a personal email tab open on a work device, they may just find it easier to send a quick message from that rather than switching to approved and secured corporate email.
Shadow IT poses many risks
IT professionals do an excellent job of maintaining and updating corporate IT systems. End users on their own shadow IT services? Not so much. Shadow IT is at higher risk of causing security breaches and exposing corporate data. And if a compromised shadow service is connected to company resources, then a determined attacker will look to move laterally from that service to other more valuable corporate targets on your network.
Many regulatory standards require specific IT security and management levels; for example, HIPAA in healthcare and Sarbanes-Oxley in finance. As a result, if your users knowingly or unknowingly move protected data to shadow IT services, your company could become exposed to steep fines and other penalties.
Users often turn to shadow IT under the misguided notion that it will make them more efficient. Instead, it creates inefficiencies for the company as a whole, which will inevitably come back to hurt their productivity. For example, a data breach might require many staff to take on extra work during remediation. Additionally, paying out unexpected regulatory fines can eat into future budgets.
Reduced visibility and control
If you don’t know which shadow IT services are used on your network, you can’t formulate reliable strategic plans. The fundamental lack of visibility on which IT services are in use hurts your ability to properly manage your company’s IT environment. You’ll be left reactively jumping from crisis to crisis created by shadow service problems rather than proactively developing your IT program.
How to combat shadow IT
There are many steps you can take to prevent shadow IT from disrupting your IT environment.
Use discovery tools to find rogue services
Start addressing shadow IT by first addressing the lack of visibility and control that allowed it to take root in the first place. IT discovery tools can help you identify which unauthorized devices and services are connected to company resources.
Implement ongoing network monitoring
Once you’ve addressed the services already in use, you then need to make sure new ones aren’t added to your company’s IT environment. Various network monitoring tools can make you aware of recent, unexpected activity.
Introduce policies and procedures for acceptable software use
Create an acceptable use policy for information technology within your organization. That could mean the use of:
- Company devices
- Personal devices
- Third-party software
- Cloud services
Your policy should explicitly state what kind of IT services are authorized and which are prohibited. Employees shouldn’t be left guessing whether a popular cloud app should be used or not.
Also, include an approval procedure in your acceptable use policy. Give employees a way to have popular third-party services evaluated and approved for company use.
Educate workers about shadow IT
Employees don’t bring shadow IT assets into the workplace to harm the company. They’re just trying to make their jobs easier, and they don’t see the associated risks.
Make shadow IT training part of your new hire orientation. Find ways to inform current employees through the company newsletter or add it to annual retraining sessions.
Educate them on the risks created by shadow IT in the workplace and what the direct impact to them might be. For example, suppose an employee learns they’ll need to take part in a lengthy remediation process after a data breach on top of their regular duties. In that case, they’ll probably be much less likely to use high-risk shadow services.
Restrict third-party apps
If you’re using a cloud-based platform like Microsoft 365, you’ll be able to restrict how third-party apps can interact with your IT assets. For example, you can block known dangerous apps or flag others for monitoring. For example, is a flagged app suddenly receiving a high-volume data transfer? The Cloud App Security tool can send you an email or text notification so you can immediately evaluate.
Use the right cloud services
Remember, employees set up shadow IT either because they’re more familiar with it or view company IT services as ineffective. Therefore, when possible, give your employees access to the best possible IT services so they don’t feel like they have to go hunting for their own.