The term shadow IT has garnered both praise as an efficient approach towards cloud-based productivity and criticism as the foremost security threat confronting modern businesses. However, what exactly does it entail?
Introducing Shadow IT
At its simplest, shadow IT refers to the process of using IT systems, devices, software, and services without IT department oversight and often in opposition to the official IT policy. At its most complicated, shadow IT is the body of informal policies, practices, and workarounds that an office culture uses to get past their IT department.
How Shadow IT Works
In the best-case scenario, shadow IT practices can make employees more productive – they can just get on with their work while cutting unimportant corners. They can circumvent complicated security or approval procedures that would have them sitting on their hands or filling out forms explaining why they need something rather than just doing it. It evokes the good parts of the startup mentality and the kind of unregulated environments that gave rise to many of the greatest triumphs of the modern age.
However, most corporations and even moderately sized businesses try to eliminate these unregulated practices for very specific reasons. Circumventing policy always presents some risk – unless the policy really is unfit for purpose.
n a way, you could say that a company needs to completely rewrite its official IT policy when shadow IT practices are good for business. In the same way, where shadow IT practices are actually more trouble than they are worth, your IT policy is probably sound. The difficulty comes in the grey areas – as they always do. Most of the time, things will not be so black and white, and it becomes a war of perspectives.
What Is the Purpose of Shadow IT? Does it Harm Your Business?
The purpose of shadow IT is to cut corners. Most employees who will admit to using shadow IT say they do so to be more efficient at their jobs. An RSA study found that even 11 years ago, more than one in three employees believed they needed to work around company security policies to perform their roles to expectations.
Perhaps the approved, safe, secure file-sharing app underperforms compared to the newest, shiniest, most-security-dubious file-sharing app. Some of your employees will start using the new app. If it causes immediate problems, IT will usually step in and put a stop to that. If the new app really works well, then it can slowly become the system that everyone uses despite the policy. It has become part of that organization’s shadow IT.
When the majority of employees in a department are any combination of young, highly intelligent, highly motivated to succeed, and/or unwisely sure of their own brilliance… well, the idea that rules are for other people can become part of the culture.
Can this kind of culture harm your business? Absolutely. Suppose that file-sharing app has a subtle flaw. It’s not a trojan horse for hackers or anything, but it keeps a log of the traffic on a cloud server… somewhere.
Perhaps that server isn’t very well secured. Maybe anyone who really wants to can access everything your most tech-savvy employees message each other about. Suppose they can use that to hack your systems or disrupt your operations in some way.
Maybe the IT department’s insistence on using the boring, old, secure file-sharing app was the right move.
Exploring the Advantages of Shadow IT
On the other hand, sometimes cutting corners works out. Sometimes your people need a new solution to a problem right away, and they can’t wait two weeks for IT to decide if the provider is as safe as they claim. Sometimes the cowboy approach can get a prototype service up and running in a few days and make a big sale. You can do all the care and diligence later before it goes into production.
Sometimes the IT department really does need to step back and allow some corners to be cut, especially in non-critical areas. Even the best manager knows when to turn a blind eye to a policy being circumvented.
The Risks of Using Shadow IT in Your Workplace
Simply put, rules are there for a reason. Cutting corners exposes the company to risk. It might be a small risk that you can easily clean up. But it could be a very low chance of destroying everything. If that happens, all anyone will want to know is why you didn’t enforce the policy that could have prevented this disaster.
Most companies wouldn’t be happy with employees deciding for themselves which risks were serious and which were trivial. That’s why IT policies were invented in the first place. You allow it to be circumvented at your peril.
How to Mitigate the Risks Associated with Shadow IT
The best way to enjoy most of the benefits of shadow IT without opening your company up to the worst of its risks is to make sure the IT department has a light hand. Not the velvet glove that hides the iron fist, but an actual light hand. If they are not seen as the fun police, then your IT people are more likely to be included in what your people are actually doing.
Shadow IT isn’t all bad; it is at its most dangerous when employees keep it a secret from IT. If the people you employed specifically because they can spot a dangerous IT risk much more reliably than anyone else in the office get to see what is really going on, then they are a lot more likely to be able to do their real job – stopping the really bad stuff – while allowing the actually harmless corner-cutting to continue.