Shadow IT: what is it and how to combat it

Joe Svetlik

Monday 27 June 2016

Does circumventing the IT department pose a threat to your business’ most vital information or is it actually a strategic asset? Here’s how to make sure it’s the latter.

Few IT topics split opinion like Shadow IT. Depending on how you look at it, it’s either a growing menace, threatening to undermine a business’ IT power base, or a way to ensure your company always has access to the latest software tools. But what exactly is it? Which of these two definitions is closest to the truth?

What is it?

Shadow IT – aka Stealth IT – is a term used to describe IT hardware or software within an enterprise that is not supported by the organisation’s central IT department. The most common types are software-as-a-service applications (known as SaaS apps) like Google Docs or Dropbox. But Shadow IT also encompasses any software or hardware that the organisation hasn’t approved.

Unsurprisingly, its use is rampant. According to a study for McAfee by Stratecast, a unit of Frost & Sullivan, more than 80 per cent of IT workers and line-of-business workers at enterprises admitted to using SaaS apps at work without the IT department’s approval.

If you’ve ever sent a work email from your Gmail account, transferred a work file using or jotted down notes from a meeting in a Google Document, you’ve used Shadow IT. Unless your company’s IT department has formerly approved such services, of course.

Why the fuss?

You might think it’s no big deal, but many businesses would disagree. Corporate data is highly sensitive, and a security breach could cost the company dearly. Unlike internal IT systems, there’s no way to guarantee these SaaS apps will stay secure.

Bosses wouldn’t be too pleased if their data was compromised because of Shadow IT, especially if they’ve spent a lot of money on a belt-and-braces IT system.

Then there’s the lack of control. SaaS apps are designed for the individual user, rather than as a business tool. As such, they give the user complete control. This could lead to them consciously cutting out an employee from a shared document, or simply forgeting to add them.

The upside

It lets employees use the latest apps without waiting for the IT department to check and approve them. And, as most SaaS apps have cloud functionality built in, employees can work on documents anywhere using their personal laptop and can easily share documents for collaborative work.

These are all pluses for the employees, but there are advantages for the organisation too. Most web-based SaaS apps are free, or are much cheaper than their professional IT counterparts.

And if employees are using the latest software, they’ll also be more productive, which will benefit the organisation. Then there’s the mental benefit. Having to use only company-sanctioned devices and apps – especially those inferior to what are available – can inculcate a feeling that the firm is behind the times, and thereby serve to alienate employees.

The compromise

So what should you do about Shadow IT? Few would recommend banning it outright – even if it were possible, it would show the organisation to be inward-facing and oblivious to technological advancement, especially at a time of such rapid progress. Rather, the challenge is to manage it. As Pat Calhoun, McAfee’s general manager of network security, says: “Businesses clearly need to protect themselves, while still enabling access to applications that help employees be more productive.”

He goes on: “The best approach is to deploy solutions that transparently monitor SaaS applications (as well as other forms of web traffic) and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce usage policies.”

Russ Banham from CenturyLink thinks the name is already part of the problem. ‘Shadow IT’ has all sorts of nefarious connotations. Instead, he recommends calling it ‘dispersed IT’. It then becomes far less of an issue for the company CIO (chief information officer) to monitor and orchestrate the use of cloud-based apps alongside the internal IT system.

It is pointless burying your head in the sand and pretending the likes of Google and Dropbox are going to go away or stop innovating. Why not embrace what they have to offer while minimising the threat to your business? Make Shadow IT work for you, and you might just shine a light on your own business practices.


Building the next-gen data centre

Where traditional and web-scale apps co-exist