Insights in your inbox
Close this search box.

Unearthing Shadow IT to Drive Digital Transformation

February 17, 2022

Organizations pursue digital transformation so their business and processes can operate at the speed of the 21st century. But that drive is sabotaged when other departments leave the train or decide to find their own way.

Before we dive into the topic at hand let’s first define what we mean when we say Shadow IT and where to find it in your business. So, what is Shadow IT? Shadow IT refers to information technology systems deployed by departments other than the central IT department (your IT Team), to work around the shortcomings of the central information systems. Typically, employees use these devices to improve productivity or efficiency, but without the support of IT. In short, nearly every business has a shadow IT issue. Now, let us get to the crux of how this makes driving digital transformation challenging when you work with someone who does not consider looking into this as one of the issues of the problem.

In an effort to drive digital transformation, we must consider all aspects of your business. We will start with your people; some employees will fear change, stand firm against changing the current state of affairs; job insecurity becomes real when we talk about changing the current state, but it does not have to be. When companies are not set up to properly support daily tasks, their team will end up using technology that is not sanctioned by IT, it can include applications that were phased out, thereby creating shadow IT.

Although shadow IT surfaces because your people are using backdoor tools that help them do their jobs better, it can be detrimental to change efforts. It can be really challenging to know all of the applications a company may have in their technology stack because most applications used are absent-mindedly used out of habit. Employees may not even realize they are using certain applications as a part of their daily routine. How do you bridge this divide between where your employees are and where you want to go as a company? In this article, we are discussing the risks of shadow IT and how to manage these risks as you pursue digital transformation.

How it begins. Users might adopt shadow IT resources that are incompatible with company policies relating to cost, security, compliance, or documentation. It does not usually happen from a malicious place; it usually happens over time when employees are looking to quickly resolve an issue that may think is siloed to them or their department. These technologies might be inconsistent with service level agreements or simply regarded as unreliable by IT standards.

Although shadow IT sounds like it should happen in the dark, that’s not always the case. It’s often people using tools they’re more comfortable with, or that help them do their work better. For instance, employees typically use these tools to improve:

  • Productivity: Employees might use unsanctioned tools like Trello or Hive to assign and track tasks.

  • Collaboration: File sharing and storage devices like Google Drive and Dropbox might be used to share large files that email cannot handle.

  • Hardware: Employees might use their personal laptops to handle tasks that office systems aren’t equipped for.

  • Communication: With a rise in remote work, communication tools like Zoom, Slack, and Webex find quick uptake within departments.

What creates shadow IT? Shadow IT is a significant challenge for most organizations. According to one study from McAfee, up to 80% of employees admit that they use unsanctioned SaaS products at work. The average company employs over 1,000 cloud products, but IT is typically aware of just 108 – essentially 1 out of 10. But what drives employees to use unapproved IT tools? Part of the problem stems from companies:

  • Failing to offer sufficient support for technologies or capabilities that users prefer or require;

  • Ineffective or slow IT governance, approval, or provisioning;

  • Perennially understaffed and overworked IT staff that just can’t find the time to meet all user needs;

  • Launching digital transformation efforts that don’t account for how employees work and the tools they need; or

  • Customers consistently asking for services the company is not prepared to address.

As a result, other departments may be forced to find creative ways to get their work done, and this often involves shadow IT tools. For instance, research by RSA in 2012 found that 35% of employees feel they need to sidestep company security policies in order to do their work.

To be clear, the problem might also stem from employees not being aware of the tools available to them or failing to speak up about a problem. But for whatever reason it occurs, it’s important to recognize that shadow IT can become a problem for organizations, especially if left unmanaged.

Risks of shadow IT for organizations

Since shadow IT resources are typically outside IT’s knowledge, they can create significant risk for companies. Google Drive folders bearing company information might be susceptible to threat actor access. Sensitive work data sent from personal emails could become compromised.

IT goes to great lengths to secure company resources against loss, downtime, or unauthorized access. But all that effort goes out the window with leaks caused by shadow IT. A cautionary tale that bears remembering is the experience of Insight Global. In April 2021, the company admitted that the personal information of thousands of people was leaked to third parties. At the root of the breach was a series of unauthorized Google accounts used by employees as a backdoor collaboration channel.

Quite simply, the presence of unapproved and unknown IT resources within an organization’s network can create multiple issues. Some of these include:

  • Operational inefficiencies: Shadow IT may lead to operational bottlenecks and siloes between departments. Imagine Marketing uses Dropbox for its file storage/sharing, Sales prefers Google Drive, and Legal puts everything on OneDrive. That’s not even far-fetched, since the average organization is reported to use up to 57 file-sharing services. In such an organization, files will have to be copied and uploaded multiple times before each task is done – a waste of everyone’s time.

  • Security risks: According to Gartner, one-third of all successful attacks on enterprises are launched on shadow IT resources. With sensitive company data sitting on services outside the regulation and protection of IT, breaches can happen far easier.

  • Duplicate information: Every unapproved application used to carry out company work means another repository for files that already exist elsewhere. The same information might be copied and uploaded between platforms tens to hundreds of times. But when it’s time to find the definitive document, there’s often no single source of truth, and this introduces unnecessary complications.

  • Operational breakdowns: Shadow IT results in poor IT visibility. Without insight into exactly what network resources are being used, it’s much harder for IT to diagnose and resolve operational issues. Any one of the multiple shadow resources employees use can be problematic. But IT cannot resolve what it doesn’t know about, and this leads to unnecessary downtime, extended troubleshooting, etc.

  • Compliance: Organizations often have to abide by industry standards for their IT infrastructure. Standards such as Software Asset Management (SAM), ISO/IEC 20000, and even the General Protection Data Regulations might apply. But shadow IT potentially compromises compliance with these standards when sensitive data is hosted on platforms beyond the control of IT.

Unearthing shadow IT Combating the risks of shadow IT begins with identifying where it exists and unearthing its incidence. Resist the urge to view shadow IT as a problem in itself though. Its existence in an organization is a sign that your IT policies and governance processes might need a revision. Besides, finding a compromise between those shadow tools and the official resources you provide can help unlock greater productivity. Here are a few steps to take as you identify and unearth shadow IT in your organization:

  • Educate about risks of shadow IT: Keep in mind that your people simply want to do their job. They might not be aware of the risks that shadow IT poses, or they’re not sufficiently informed about these risks. Educate them about the dangers of unapproved IT tools and help them learn why it’s risky.

  • Encourage employee transparency: The best way to learn about shadow IT tools is to ask those using them. Don’t be heavy-handed in your inquiry though. The goal is to help employees discover how they have been using these tools and why they might be dangerous, not to drive them underground.

  • Use automated discovery tools: There’s always the risk that your employees are not aware of all the backdoor tools they might have been using. Automated SaaS management tools can assist in the discovery of unauthorized software, including those your people do not even realize are there.

  • Tighten IT governance: Implement a governance structure that prioritizes the tools you provide. You might start with “deny all” network access controls, then include only approved tools on the “allow” list. Workplace devices can include controls that deny app installation or website visits beyond those explicitly allowed.

  • Monitor networks and application activity: Leverage API connections and integrations to monitor app usage. Where are you seeing network activity and what applications is it being funneled through? That might tell you where unsanctioned apps are feeding into your network.

You’ve found the shadows. What next?

Unearthing shadow IT doesn’t end with just finding out where the unsanctioned tools are being used. To truly move beyond the challenges that surfaced these shadow IT threats, you must create a plan to improve IT governance and support for the tools that truly help your people.

Move your digital transformation efforts forward by embracing and taking advantage of shadow IT. Start by implementing the following:

  • Identify root-causes with process mapping: Process mapping the business’s current state helps all parties involved understand where the operational gaps are in the business and the technology stack. Manual workarounds are why shadow IT exists.

  • Streamline and simplify governance: Create a seamless process where people can approach their leadership and IT and receive the help and support, they need without feeling they need to indulge in self-help. Remember understanding the current state will aid the conversation of why an employee is using something and what is everyone else doing.

  • Create shadow IT policies: With the information you derived from your shadow IT discovery, create policies around what tools are acceptable and which ones are not. Your employees are already comfortable using these tools and they are productive with them. Identify which ones you can bring into your IT infrastructure or where you can create in-house alternatives. Understanding the company’s current workflows will help you better understand what to approve as a technology and what should be eliminated from the technology stack.

  • Strong communication and collaboration with IT: Your people should be able to approach IT about what tools they want to use and how official alternatives don’t do the job. The easier it is to make these concerns known and addressed, the more unlikely it is that your staff will seek their own tools.

Shadow IT can be a significant threat for organizations. But it can also produce opportunities that move transformation efforts along. Contact us at Cornerstone Paradigm Consulting, LLC to learn about how we can help you turn your risks and threats into valuable opportunities for your organization.

We help businesses, institutions, and corporate organizations make the most of their people, processes, technology, and customer experience.