Research from Gartner shows that nearly 40 percent of all money spent on technology purchases comes from outside of the IT department. Those purchases are known as shadow IT. Most organizations can relate to the problem of shadow IT. Not only does it open the door to security issues, but it can cause conflicts with business critical applications. In addition to these problems, dealing with the issues of shadow IT pulls the IT staff away from projects meant to meet business goals.
With so many applications, storage options, and other resources moving to the cloud and mobile devices, shadow IT is almost impossible to eliminate. However, there are some ways that you and your staff can work to overcome these issues.
Educate Your Workforce
If you were to poll employees and business leaders who utilize technology out of the scope of their current IT resources, odds are they would tell you that they rely on it to get their work done. While there may be no malicious intent, there is a good chance these same people aren’t aware of the issues that introducing their own technology can cause. Take time to review with your organization that shadow IT creates more problems than solutions. Some of those problems include:
- Applications that have not been tested may create conflicts with existing software that your organization relies on.
- Applications that have not been vetted may contain vulnerabilities.
- If no one is properly managing and updating an application, it could leave open security risks.
- Phishing sites are often set up to offer software that contains malware.
- You may be exposing sensitive data by not properly managing, encrypting, or storing it according to laws and regulations.
- Rogue wireless devices and other hardware may cause disruptions in the network.
Most importantly, help them understand that if the IT department discovers shadow IT resources, they are going to be shut down. This means all of the data and hard work accomplished by using those resources will likely be lost.
Be a Partner
One of the best ways to avoid shadow IT is to work with your different business units. If there is a need, or a block in their business processes, help them find a solution. Many times, employees and leaders have a solution in mind. Don’t immediately say no to these requests or offer a substitute. Take the time to evaluate the effectiveness and compatibility of their proposed solution to see if it will work. If an alternative is needed, gather the requirements from that business unit and find a solution that meets their needs.
Know What’s Out There
The most important strategy for dealing with shadow IT is to actually know what is running under the radar. This means you will need to be constantly monitoring for activity, processes, and traffic that are not part of your normal IT functions. Make sure that a cloud governance program is part of your efforts. With so many cloud options available to your coworkers, it is easy for them to get around many of your technical controls and rely on SaaS offerings to bypass the IT team.
It is always best to work with the different teams in your organization first. However, if education and partnering doesn’t stop the shadow IT problem, then it is time for you to take action. Create a policy that management will support and hold people accountable to that policy. Other ways to help shut down shadow IT projects can be installing blocks on employees’ phones through your mobile device management policy or configuring their computers to stop their ability to download and install software.
Remember, taking action will likely upset other business leaders because it may hinder their team’s ability to get things done. Only take action after you have:
- Taken the time to educate people about the dangers of shadow IT
- Provided enough notice to management and other business leaders
- Created a policy that is supported by management
Stopping shadow IT is not an easy task. Being able to identify and stop applications and services that are not authorized by your IT department takes a great deal of skill and experience. Many organizations rely on third party help from managed security service providers who specialize in helping deal with the problem of shadow IT.