How can you make shadow IT a friend instead of a foe?

By Kashif Nazir, Technical Manager at Cloudhouse.

  • 1 month ago Posted in

Shadow IT has been a thorn in the side of IT departments for a long time now. In recent years, with the continual growth in people’s understanding of tech and the amount of cloud services available – the latest notable addition being generative AI – it’s become an even sharper problem. Why is this happening?

Shadow IT is the network of software, hardware and applications departments and employees use without IT’s knowledge. By using such tools, departments or individuals can become reliant on them, again unbeknownst to IT. Without proper oversight, these unauthorised systems can grow uncontrollably, creating an even more complex web of devices to control. Gartner research from 2023 noted more than two thirds (69%) of employees intentionally bypassed cybersecurity guidance over the year.

One reason for this growth is due to vendors making it easier to access their products by intentionally going around IT teams. Traditionally, an admin would need to install an application for an employee – but vendors have overcome this issue by installing the applications into user-controlled areas directly.

Using such software is a business and security risk, as employees can be accessing company data through unmanaged sources. This is why shadow IT is often seen as a foe to the IT department. But if managed correctly, there are effective ways to turn it into their friend.

Why shadow IT is risky business

Not only is Shadow IT a risk, but it’s an unmanaged risk – and that presents a real problem. IT can’t account for threats it isn’t aware of. And these hidden threats can emerge from the use of both physical devices and the cloud.

A familiar example of shadow IT is employees using personal devices like smartphones, laptops and wearables, which aren’t accounted for in a company’s Bring Your Own Device (BYOD) policy, on the enterprise network. This can leave the network susceptible to breaches such as bad actors introducing malware or ransomware.

While such devices may be physically spotted, security holes can arise more discreetly through the use of ‘out-of-sight’ cloud services. For instance, an employee may have saved classified business information on their personal cloud account which doesn’t have the same multi-factor authentication or encryption protection that might be embedded within the managed server. Therefore, the organisation could be facing severe risks from potential data breaches and cyberattacks and IT has no idea about them. Moreover, this unprotected data could also breach compliance regulations and lead to monetary and reputational damage.

These risks extend to users not being able to sufficiently configure and secure any unauthorised third-party software, meaning it fails to adhere to company data protection

standards and quality assurance. There are also operational effects, as shadow IT means many data silos and limited data sharing.

Ultimately, without a holistic oversight of operations, IT can’t mitigate risk for these applications, identify irregularities, and administer overall costs and resources.

From foe to friend: removing the risk

The causes for shadow IT appearing usually stem from employees lacking the services or capabilities they require through managed servers and resources. They might turn to third-party apps to gain different functionalities like generative AI prompts, or use a personal account when they don’t have enough storage space on the company cloud. But the more they use these tools, the more dependent they are on them.

Consequently, as these applications may be business-critical, companies mustn’t attempt to rid them completely, in spite of their inbuilt risks. Rather, just like pulling the rug from under your feet, IT should explore ways of transferring data or applications onto managed, secure servers without needing to alter the applications themselves. This strategy looks to maintain shadow IT applications by forming secure server and cloud environments for their use.

Adopting such a strategy can in fact deliver new benefits. It can drive innovation, as new tools and capabilities are integrated into workflows, just now securely implemented and managed. In turn, this enables companies to access faster tech, generate more efficiency and enhance security, all while needing less training for staff (as they already use the tools) and reducing costs.

Imperatively, this transition causes very minimal disruption to operations. However, it can be complex to perform and may need external expertise to support the migration.

Keeping the shadow friendly

Securing shadow IT is the first step – effectively managing it is a continual process. How, for instance, can IT manage apps it doesn’t know about?

Establishing open lines of communication with employees that incentivise them to report any unmanaged devices they’re using is key to creating visibility. Moreover, introducing sturdy BYOD protocols can also help to keep the shadow under control. It’s also important to evaluate training procedures and knowledge sources. Are staff aware of the risks Shadow IT poses? Where are they going to rectify tech problems? Search engines are usually the first resort, with the popularity of Large Language Models’ (LLMs) quickly rising.

Such insight can be crucial in preventing shadow IT from quickly taking hold and growing uncontrollably. Not only does it rely on staff reporting devices and training, but also on IT receiving frequent feedback from employees on any challenges they have with current software and whether they require extra capabilities. To build this trust, rather than rebuking employees for using unmanaged applications, businesses should adopt a supportive and constructive attitude to shadow IT, which learns from what has led users to use these tools. With such an outlook, IT can uphold standards and enhance operations, while reducing the likelihood of the shadow reemerging.

A friend for growth

When companies embark on migrating their technology, they can uncover a significant amount of shadow IT that extends far beyond what they can see and manage. Left unchecked, it can quickly grow into a tangled mess. The trouble is, unknown to IT, such tools and software become connected to each other and critical to workflows; removing them could disrupt the entire business ecosystem. Simultaneously, from cyberattacks to data leaks, the risks of not managing shadow IT are aplenty – and IT can’t mitigate risks it’s not aware of.

To tackle this paradox, companies should favour an approach that maintains these applications but on managed servers, thereby limiting operational disruption but enhancing security and innovation. Open lines of communication and understanding why staff are using unmanaged applications is crucial to maintaining control over the shadow, while also informing IT of necessary improvements to current systems.

By adopting a constructive approach, risks can be managed and shadow IT can become a company’s friend for growth, not its foe

By Andy Mills, VP of EMEA, Cequence Security.
By Paul Birkett, VP Strategic Portfolio Management at Ricoh Europe.
By Liz Centoni, Chief Customer Experience Officer, Cisco.
By Lars Rensing, CEO of Protokol, DPP Solution Provider .
The IT world is moving faster than it has ever been. As a manufacturer, the only way to compete and...