Shadow IT is the term used to describe when employees within an organization utilize hardware or software without the authorization or knowledge of their internal IT department. According to Track Resources, 80% of workers admit to using SaaS applications at work without getting approval from IT. These may include productivity apps like Trello, cloud file sharing apps like Google Drive or even video messaging and conferencing apps like Zoom or GoToMeeting. In fact, estimates suggest that the average company has more than 900 unknown cloud services. These unmonitored or shadow services can put an organization in a dangerous position by creating security risks, increasing costs, and impacting their compliance. We've expanded on the risks below.
As part of ShadowIT practices, employees may acquire their own cloud services to access programs, storage, or apps, unfortunately, those services are often not secure and may do not likely adhere to the companies security policies. Just 7% of cloud services meet enterprise requirements for security, according to a recent report by Skyhigh Networks. Left unsecured, these heavily used programs may be putting your organization at risk. While setting up certain programs and apps, unsuspecting employees may actually be creating a back door into your network by failing to protect the program via the organization's main firewalls. Staff may also inappropriately set the permissions on such programs, making it more easily accessible and therefore increasing the likelihood of a data breach. Your organization may have security policies in place such as two-factor authentication, non-IT staff may not be aware of this and fail to set policies that protect the organization.
In its 2021 report on the cost of data breaches, IBM found Overall, the report estimated that the average cost of a ransomware breach hovered at $4.26 million USD. In low compliance environments, the cost of a human error data breach was estimated to be $2.3 million USD higher than in environments where good cyber hygiene practices were observed. In cases where employees worked remotely, the dollar figure associated with data breaches jumped to $5.54 million USD.
Participating in shadow IT increases your risk of being compromised and incurring a major financial hit to your organization.
A recent Virtana Inc. survey of cloud decision-makers found that 82% of respondents said they had incurred unnecessary cloud costs while 56% said they lacked the tools to adequately manage their spending programmatically. According to Gartner Inc., 60% of infrastructure and operations leaders will encounter public cloud cost overruns. while Flexera Software LLC’s 2020 State of the Cloud Report estimated that 30% of enterprise spending on cloud infrastructure is wasted.
Much of the unanticipated cloud spending is due in part to ShadowIT practices being carried out within an organization. In some cases, an employee may power up services, and charge them to their company credit card or on their company account without informing IT. If your company's non-IT staff aren't aware of the policies and billing surrounding their companies cloud agreements, they might choose to use a service without realizing the true cost of it or understanding cost by usage. This can be extremely costly. Shadow IT can also result in duplication of services, one department may pay for one service while another department is doing the same.
Staff members who engage in ShadowIT practices can rob an organization of its ability to provide the proper regulatory overview or monitor compliance requirements. The services acquired may not meet security requirements or be auditable, putting the organization at risk of not meeting compliance. Your organization may have rules pertaining to access control, identity management, backup standards, etc., without IT's oversight these requirements may not be met.
Shadow IT Exists...So What Can We Do About It?
If shadow IT is so risky and harmful to an organization, why do staff continue to use it? IT departments are often overworked, overwhelmed, and under-resourced making it difficult and time-consuming for staff to acquire new technologies through the correct means. For example, that new customer management software that the sales team needs could take several months to implement based on approval times set up and configuration. Instead of waiting, members of the team may move forward with the acquisition of the program on their own without advising the IT team. Staff may not realize the implications of acquiring shadow IT, they simply want access to the programs they need quickly.
To reduce the likelihood of staff turning to shadow IT and the negative consequences of it, we have several recommendations:
1. Become more Agile w/the Cloud
Utilizing the cloud to facilitate greater business agility is a major key to reducing instances of ShadowIT. Cloud can speed up the process of employing new solutions within an organization by reducing the workload of your IT department and allowing your organization to be more agile. For members of your team, this means that the adoption of new programs is quicker and done more efficiently. Staff will be receiving the programs they need faster, making them less likely to turn to shadow IT.
2. Educate Your Staff
Share with your staff the dangers of Shadow IT. If they understand the implications they may be more inclined to work with the IT team than to acquire services without their knowledge. This education can be included in your yearly (or bi-annual) security sessions. Many would say it's impossible to root out all shadow IT, training ensures that staff are at least aware of the risks and may re-consider certain activities or take steps to follow some policies.
3. Create Policies To Monitor Its Use
Proponents of Shadow IT, claim its use can foster creative solutions and create opportunities for teams to be agile and innovative. Some organizations have taken a different approach, creating guidelines that help steer staff away from making 'bad' shadow IT decisions and towards good choices. Your IT department may consider creating White and Black lists for apps that help guide users towards the best and most secure options. Or you may prefer to create a special forum where staff can share their innovative solutions as well as blunders to avoid. This community-sharing approach can place IT as a trusted advisor and also allow IT to keep an eye on who's doing what. Another option is ensuring security protocols are in place to help protect your organization from threats that shadow IT introduces. Organizations can adopt new security capabilities, such as event management systems and data security policies.