Updated July 5, 2023
Introduction to Avoid Pitfalls of Shadow IT and Boost Performance
A company IT infrastructure consists of hardware, servers, operating systems, software and applications. The hardware division may be managed by the system and network administrators, while project managers for software applications may be in charge of specific divisions and projects. With each division having separate heads to manage the operations, additional hardware, software application or devices are added only on the approval of IT departments.
However, with the advent of the web and several software service providers giving an option to use software and applications with free downloads or access to the cloud, many employees may have downloaded or accessed software on a subscription basis for various purposes. Such applications that are installed or used without the IT administrators’ knowledge form part of Shadow IT.
With the increasing popularity of the cloud and Software-as-a-Service (SaaS), many managers may have the tendency to go the easy route of using Shadow IT rather than create a ticket within the organization for the IT department to respond, assess and implement.
Dangers Associated with using Shadow IT and Some Steps.
Here are the dangers associated with using Shadow IT and some steps to be taken to help in enterprise performance:
1. Lack of modernization and slow implementation
If more managers and departments are utilizing Shadow IT, it may be a reflection on the lack of efficiency of IT departments with in the organization. Or the IT team itself may respond slowly to a ticket (issue or problem) raised by the departments. In some cases, it may take weeks and months to deliver a solution. This may result in more employees seeking cloud services to get their work done.
Marketing cloud apps such as Netsuite, Salesforce, DropBox, Google Docs for file sharing, Yammer, Asana for work, and project collaboration have dynamically evolved to provide web-based and mobile services that can be accessed on the smartphone.
It is easy to blame the IT department for slow implementation or lack of innovative spirit but blindly adding on more cloud-based application silos in each department is not surely an answer to this issue. Each department head or leader should hold an open dialogue with the concerned IT manager or leader to redress the issue. If each department uses Shadow IT that doesn’t collaborate outside of its department, that could have larger implications on the efficiency of the organization. Moreover, having a dialogue with IT department heads would help the top management know about the need for more investment, perhaps in getting talent or better tools to create new software solutions.
In short, with a lack of centralization of IT initiatives, organisational silos multiply, leading to a lack of control and collaboration between departments. This is something companies need to tackle despite some short term benefits gained from the use of Shadow IT – lower IT costs, more flexibility, quick completion of tasks and implementation of apps.
2. Shadow IT creates increased security risks
With no centralized control and more deployment of Shadow IT, the organization is under increased security threats. Even file sharing apps such as Dropbox could involve the proprietary data or intellectual property (IP) of the organization being shared outside the company or falling into the wrong hands.
Such application silos fall outside the ambit of internal firewalls, thereby exposing it to hacking. If their customer data is shared without proper controls and in case of a security breach, heavy fines from regulators for issues related to data compliance, regulatory strictures could happen, leading to consumer distrust and loss of satisfaction. Hence, the managers and team leaders in various departments should be made aware of the increased risks in the use of third party software and inform the IT department of the use of such apps.
In some industries such as finance, health services, investment and banking, failure on regulatory compliance can prove costly and limit the ability of the organisation to grow. It exposes the organization to vulnerabilities and potential loss of data.
Similarly, some employees may be prone to use passwords that can be easily guessed or use the same password for multiple applications, exposing them to the threat. When cyber criminals manage to enter one such application, it is easier for them to intrude the entire network.
According to an IBM Security Study, if cyber criminals attack third party cloud applications, they can steal valuable corporate data and credentials, getting direct access to a company’s network. Moreover, they may be difficult to trace as they have come through a third-party system and not directly into the company’s network.
3. Duplication of apps and lack of internal support
When departments rely on more cloud apps, it could lead to duplication of apps by different groups having separate administrators (admins). This leads to increased costs and a lack of collaboration. This can be prevented if apps commonly used by various departments were implemented under a group plan. When too many cloud apps are used in a decentralized manner, they could face problems if the service providers do not provide timely support. Morever, the internal team may be lacking in skills to address the problems related to it. Therefore, it is better to have a dialogue with the IT department and get suggestions regarding the apps that best integrate with the existing infrastructure and also has better service support.
4. Review of existing tools and policies
At the outset, it was mentioned that increased use of Shadow IT reflected the internal IT departments’ lack of efficiency. One way to improve the existing IT systems is to find out the pain points for the employees and holes in the system that prompts them to look for cloud-based alternatives. If a simpler alternative can be developed in house, which can be managed internally, it may be the first step in managing unsanctioned apps and tools.
5. Effective communication is important than policing
There is a compelling incentive for departments and key team players to opt for Shadow IT apps. Instead of penalizing them for using it or passing strictures, managements should encourage dialogue between IT departments and concerned non-IT departments. They can be made aware of the security threats involved in using cloud services, collaboration problems and ask them to be transparent about the use of such apps. Shadow IT should emerge from the shadows and be acceptable for both IT and non-IT departments.
Perhaps, devoting a small team to study the cloud apps requirements of departments and work on the best cloud apps may be the right way to integrate cloud with their internal systems. The Chief Information Officer (CIO) ‘s role would be to act as an intermediary between the apps and the users.
Putting stricter rules on the use of cloud services may result in lesser efficiency and lack of trust among employees in the long run. It has been reported that some companies have resorted to ban on Evernote, Dropbox and iPhones to prevent the use of cloud services, but it is also a fact that such services can dramatically increase the productivity of employees. So the solution to this problem does not live with effective policing but more internal communication and dialogue.
6. IT departments need to monitor outbound traffic
There are firewalls to protect inbound traffic, but outbound traffic needs to be monitored to find out employees seeking cloud applications. The firewall can be automated to identify outbound traffic and keep a log of sites being monitored. This can help detect people using such apps, and a dialogue can be initiated with them.
Tracking the cloud apps used by employees also enables the organization to assess the threats associated with them. If the internal IT departments are unable to assess the threats fully, there are organisations such as CipherCloud, whose Risk Intelligence Lab has assessed millions of cloud applications regarding their compliance with such regulations as HIPAA, PCI and EU Safe Harbor.
The risks associated with employees using cloud apps for personal use and undertaking outside apps cannot be ruled out. When employees undertake such work, it could seriously have implications on employee productivity and corporate results.
Similarly, it was found that many employees use personal email id to register for cloud apps and upload data, updates on it to be accessible on mobile and other devices. It is convenient and does improve productivity; however, the risk associated with the person leaving the organization and sharing such data with the competitors. Without proper controls, the employee leaving the organization would still have access to the cloud apps’ data, as the login was created using their personal id’s and not company ids.
7. Software upgrades can cause a system failure
With cloud applications, the responsibility for upgradation rests with the service provider. However, such upgradations could have an impact on the functioning or integration of the systems within the organisations. Therefore, it is taxing to manage the change related to degradation, and third party support is required for it.
If the IT department is involved with the installation and management of cloud apps, such problems can be averted as they can work with the service providers to ensure smooth integration and collaboration. It could prevent any breakdown due to software upgrades, analysts said.
8. Build a framework to bring tools inhouse
Without putting a ban on outside tools and apps, productivity can be improved if the right framework for the deployment of technology is established, which will also promote innovation within the organization. Implementing a hybrid cloud is one way of tackling the problem by providing a platform ideal for workgroup applications of departments. This framework will enable the employees to have the tools to build solutions that are required for the business.
With businesses becoming global and employees travelling for work and working while one travel, it makes sense to allow the best of technologies to be used that can be integrated with desktop, laptop and mobile. The Chief Information Officers (CIO) and Chief Technology Officers (CTOs) need to exercise control on cloud apps use even as they don’t restrict its use inhibiting innovation. IT departments should enable an environment of innovating together rather than working as water tighter compartments as in the past.
Now Cloud App Security released by Microsoft may help IT, teams to keep track of cloud apps used by the employees, which may have gone undetected previously. It not only identifies the apps but provides risk score, real-time risk assessment and analytics. It will also enable IT administrators to authorize only select cloud apps, set controls, data sharing policies, customize them for the requirements of the firm.
IT majors are working closely with cloud apps providers to make their offerings secure and accepted by enterprises. IBM Cloud Security Enforcer would help service providers assess the risks and threats in cloud-based services. It is working closely with DropBox and other leading unregulated vendors to.
A recent study by CISCO and NTT Communications Corporation revealed that the use of Shadow IT is increasing across the industry. About 77% of decision-makers in the NTT survey had used cloud applications devised by third-party service providers, and they expect their use to grow. Many respondents in the survey didn’t know in which country the cloud-based data was stored.
Many employees are prone to use unregulated, free
This has been a guide to Shadow IT . Here we discussed the basic concept with dangers associated with using shadow IT and ways to boost performance. You can also go through our other suggested articles to learn more –