Shadow IT refers to the practice of using software and other systems outside of, and without the knowledge of the IT department. When it comes to small businesses, it could be replaced with “without the knowledge of the owner or manager.”
As the use of software-as-a-service (SaaS) grows exponentially, so has Shadow IT. Employees now have the ability to bypass IT with software that’s available for a low monthly fee – or for free – with the click of a button.
The driving force behind Shadow IT differs from business to business. Sometimes employees believe it improves efficiency. They believe they need these tools to do their jobs.
Other times, avoiding IT is seen to drive down costs. Sometimes people simply grow impatient waiting for their business to make a decision.
Whatever the reason for its existence, Shadow IT brings with it five main risks. We cover each one in detail here.
With the consumerisation of IT, even a smaller business may have hundreds of these applications in use. The lack of visibility into where business data lies represents a security gap. Although some applications are harmless, others include functionality such as file sharing and storage, or collaboration, which can present significant risks to a business – especially if these applications contain sensitive data.
Many businesses do not know where their data is stored, and here are just a few statistics to show how quickly this problem is growing:
If IT is not aware of these applications, then they cannot recover any data lost since no backups are in place. Additionally, IT certainly cannot ensure that these applications have the proper security settings in place to prevent bad actors from gaining access.
Requirements for IT compliance are becoming increasingly stringent.
No matter the business, regulatory compliance is likely critical. There are numerous standards that businesses need to comply with – from GDPR to industry-specific regulations like HIPAA – and the use of shadow IT can potentially lead to fines for violating these compliance requirements.
Due to the inherent lack of control and transparency, unregulated public clouds make it impossible for companies to prove compliance with these regulatory requirements.
In addition to revenue losses, for example, due to data loss or disrupted business processes, severe financial penalties may be imposed on the company or members of management.
There are also other issues such as duplicate apps. There might be different email, file sharing, sales and marketing automation, project collaboration, messaging, and other cloud capabilities in use.
It’s easiest to illustrate the cost of this with an example. Let’s say your business has 200 employees with one department of 100 employees who prefer Slack over Rocketchat and another department of 100 employees who choose to use the duplicate Rocketchat app.
Your business is paying £11,700 for 100 employees who use Slack and £8,400 per year for those who use Rocketchat. That’s £20,100 per year for 100 people to use their preferred internal communications tool. There may even be a chance to migrate all of these tools to a free solution such as Microsoft Teams if you’re already leveraging the Microsoft 365 suite.
Shadow IT is often implemented without the knowledge of many people in the business. Very quickly, different groups within the company can have the same problem of having selected a different tool or the same tool but set up different accounts.
Since each team is administering their own software, there are often no standards or best practices, and employees leveraging that software receive very little training. Compare this to companies who standardise on a single solution. In such cases, there is a centralised admin who can provide assistance, and generally most employees can support each other since they are on the same system.
While businesses should aim for clear ownership and company-wide best practices, sometimes you just need to get the job done. However, this should be done with eyes wide open, meaning there should be a good reason for an employee to be a software administrator, and the business should know who owns that software in case billing, support, or other issues arise.
Businesses can only effectively manage what they can measure and understand. The use of shadow IT further complicates this matter, particularly with regards to regulatory compliance. However, the lack of visibility surrounding data and decision-making processes creates additional challenges for businesses to navigate.
For many businesses, planning for the future requires accurate visibility into their current technology landscape. Without this insight, it is difficult to make informed decisions about future technology investments or budget allocations.
Managing shadow IT involves making intentional and informed business decisions about the technology being used. To do this, businesses need access to accurate data. While some businesses may attempt to track their technology usage manually using spreadsheets, this approach quickly becomes unmanageable and outdated.
This is where Burton Technologies can assist. Our team is equipped to help businesses gain visibility into their current technology usage and provide ongoing monitoring to reduce risk and improve decision-making. Ask how we can support your business today.