Shadow IT: The Good, the Bad, and the Costly
The road to hell is paved with shadow IT
The initial aim of using shadow IT resources is pure – lines of business want to get their jobs done in a more efficient way. There are good reasons why shadow IT emerges within an organization, we discussed those in the previous post. However, by installing unsanctioned applications and subscribing to unapproved cloud services employees unwillingly subject their company to unexpected risks. Using IT assets that are invisible to the internal IT drives security risks, data security risks, complicates regulatory compliance and can result in increased overall IT operations cost.
#1: Unnecessary exposure to security breaches
The emergence of shadow IT has brought significant changes in the enterprise security landscape challenging IT groups with new scenarios they were not exposed to before. An increased use of unapproved file sharing services, remote administration tools, and other third-party applications in corporate environment can lead to security breaches unknown to the internal IT department, as it is nearly impossible to track all the services and apps (especially mobile apps) being used by company employees.
A shadow IT application may have a vulnerability that can be exploited by an attacker to access the corporate network and data. Considering that many employees use two or more devices for work, the possibility of a security breach is immense, because each device is a potential point of entry for intruders. As stated in Gartner’s Top 10 Security Predictions 2016:
“By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”
#2: Increased data security risks
Retaining control over data within an organization is already a challenge internal IT departments have to deal with on a daily basis. With cloud and mobile services this challenge becomes greatly magnified. When files are stored in and transmitted via public cloud services and unsanctioned mobile apps, business data is placed outside of the organization and it becomes impossible to control the data or even know who accesses it. Sensitive and unencrypted information floats outside of controlled corporate channels and eDiscovery eyes, so it is just a matter of time when it gets in the wrong hands. Lack of control results in data inaccuracy, unauthorized or blocked access, data leaks and data loss.
#3: Enterprise regulatory compliance issues
Most employees adopt shadow IT apps without clear understanding of organization’s data security and compliance challenges and requirements. Compliance standards such as PCI-DSS, HIPAA, GLBA, FISMA/NIST, CobiT, and others govern the use and transmission of confidential and sensitive information. When data is processed by external applications without the knowledge or approval of the in-house IT, it is potentially exposed to unauthorized access and violation of the corporate and regulatory compliance requirements. Employees may unknowingly violate data privacy regulations simply by storing business data in the wrong cloud service. Failing to handle and protect sensitive information according to industry standards leads to potential compliance complications and fines and can cost dearly to resolve.
#4: Hidden costs
Shadow IT can mean unexpected problems to the financial health of an organization. First of all, it can significantly increase overall IT operations expenses due to hidden costs, which are typically 4-8 times higher than visible costs. These are the costs that public cloud providers charge above the sticker price, costs of security issues, data security, operations, integration with cloud services, network issues, and vendor management. Add also financial liabilities in case of data security incidents: security remediation, auditing processes, notification penalties, brand damage, etc.
Another issue is duplicated technologies. Different business units buy their own solutions and use their own budgets to acquire software. Without single-entry control IT departments are unaware of how many services are being used, or how many services are being paid for on the whole. Not controlled by the in-house IT redundant technologies multiply across the organization and lead to missed opportunities for bulk pricing.
If uncontrolled, shadow IT creates inefficiencies, security risks, compliance gaps, wastes money and can quickly mount into costly complications. The good news is that as with everything there is also another side of the medal.
Shadow IT is suddenly not such a bad guy
Even if employees recognize the problems connected with the use of unapproved software and services, they feel that the risks mentioned are totally justified. Shadow IT, indeed, can bring very real benefits, if properly managed. It allows to circumvent inefficient corporate processes, gain business agility, and increase productivity.
#1: Boost of productivity and business agility
Business units turn to shadow IT seeking to be more mobile and access business data whenever they need it. Employees expect to have the ability to bring their work with them out of the office and off the local network. Cloud and mobile technologies provide this opportunity – they make data available from any location and device and allow to share the files easily with colleagues and outside business partners. No wonder, that cloud-based file sharing services are among the most popular non-approved apps. Shadow IT can greatly improve workflows, benefit productivity, and increase business agility.
#2: Effective solutions closely aligned with business needs
Another reason why business units adopt shadow IT is to take on business problems fully equipped. Increasingly growing market of business applications constantly offers new solutions. Ultra-modern technologies make things easier and drive value especially in industries where innovations are welcomed.
IT groups are not always successful handling end user requests for new solutions: internal application development is a long process and purchasing of external solutions doesn’t always satisfy the business needs. When business units request solutions from IT, the specific details can be miscommunicated or omitted and, as a result, the finished product isn’t exactly what was requested. Shadow IT alternative allows to get around strict corporate policies and get the solutions closely aligned with a specific business need. When users are the ones choosing solutions, it is easier to keep up with industry trends and find the tools that better suit the original goal.
#3: Lessening the burden on the IT department
Allowing the staff to freely choose their own apps and services minimizes the drain on IT department and stimulates employee engagement, which ultimately helps the business. In the SaaS model the software vendor is responsible for hosting and maintaining applications, for backup and recovery of data. This removes a burden from IT groups, lets them focus on other, mission-critical tasks and allows to avoid capital investments in infrastructure and maintenance. With shadow IT end users have access to a variety of solutions without administrative restrictions standing in their way. It helps to avoid viewing IT groups as an obstacle, which is quite common in many businesses. It’s a win-win situation for both IT groups and business units.
Shadow IT is here to stay. Deal with it
Along with compliance concerns and risks that shadow IT poses to the security of an organization, there are some real benefits adding value and bringing innovation. First of all, it is an effective way to highlight inefficiencies in decision-making processes and identify the weaknesses that caused the need for unapproved software in the first place.
Second of all, beyond the initial set of challenges, shadow IT brings new opportunities to improve traditional ways employees approach software issues and communicate with in-house IT departments. Gone are the days when business units were totally dependent on IT groups when acquiring new systems. Today technology decisions are made by increasingly tech-savvy employees who seek out their own solutions to solve specific line-of-business tasks. This innovative problem solving talent within a company should be nurtured and encouraged.
In the long run, shadow IT is not necessarily a terrible thing. It is just another business reality, which should not be overlooked, but instead managed and used to our advantage. Effective steps for taking back the control and dealing with shadow IT will be discussed in our next post.