When employees use unauthorized personal devices for work or when teams download unapproved software for internal use, these activities are part of a practice known as shadow IT, which has growing security and compliance implications for organizations.
Cisco defines shadow IT as “the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization.” It includes “all forms of IT-related activities and purchases that the IT department isn’t involved in,” including unauthorized devices, apps, and other software.
According to BMC, shadow IT is inevitable, as “users adopt shadow IT practices only to fulfill their job requirements in ways that make their life easier.” It is also widespread.
The recent Endpoint Ecosystem report from Mobile Mentor found that employees routinely use unregulated apps for work activities that may contain sensitive data. The study also found that 64 percent use personal devices for work, but only 43 percent of those devices have Bring Your Own Device (BYOD) policies securely enabled.
The Rise of Shadow IT
“The growth of shadow IT has accelerated with the consumerization of information technology,” says Cisco. “Users have become comfortable downloading and using apps and services from the cloud to assist them in their work.”
More recently, the scope of shadow IT has expanded due to the increased number of employees working from home during the pandemic. Many organizations were unprepared for the major shift to distributed work, leading employees to take matters into their own hands and set up remote systems to suit their needs.
According to Forbes, “shadow IT arises primarily out of ineffective communication between the IT department and users: Users struggling to do their jobs using authorized services find a better alternative and deploy it themselves to avoid the hassle of a long and frustrating approval process.”
For example, says Forbes, “teams who have trouble connecting to the corporate system via unstable VPN connections might turn to unauthorized cloud services to get their work done more efficiently. But that puts sensitive information like customer or financial data at risk of exposure and puts the organization at the risk of steep fines for compliance violations.”
Unauthorized apps on corporate devices pose additional risks. IT personnel cannot secure software they don’t know about, so those applications may be out of date or unpatched, leaving organizations open to attack.
IT departments play a key role in managing and mitigating the risks of shadow IT. As BMC says, part of the problem lies with the organizations themselves, for example, by not offering adequate support for technologies that IT users require or by making the provisioning process too slow.
However, BMC notes, organizations can take steps to improve the situation and reduce the risks, including:
- Communicate and collaborate. Discover the needs of IT users.
- Educate and train. Inform users of the risks associated with shadow IT.
- Streamline governance. Develop a process that facilitates the use of (vetted and rapidly provisioned) new technologies.
- Assess and mitigate the risks. Not all shadow IT technologies pose the same threat. Continuous assessment of technologies in use can help organizations weigh risks and mitigate threats.
Organizations should also clearly communicate which applications and devices are authorized or prohibited and consider supporting low-risk shadow IT components through a documented process or working with users to find authorized replacement technology.
- 6 Steps to Teach Yourself System Administration from FOSSlife
- 7 Tips for Online Security from FOSSlife
- Gartner: Bring shadow IT into the light and get really good at building partnerships from TechRepublic
- Getting Started in Cybersecurity from FOSSlife