According to Gartner, 30 percent to 40 percent of IT spending goes to shadow IT. Everest Group researchers believe shadow IT could be 50 percent or more of IT spending. Because of the uncertainty surrounding shadow IT, these estimates could very well be on the low side. The point is, shadow IT is a growing problem in terms of scope, complexity and risk.
Shadow IT is the practice of obtaining and using a device or application without the knowledge or consent of the IT department. It’s a do-it-yourself approach typically used by employees when they need to complete a specific project or perform certain tasks. They either don’t want to wait for IT approval or they’re confident that IT approval will never come. In some cases, approved applications aren’t as convenient as the shadow IT tool.
Of course, if IT doesn’t know a certain tool is being used, they can’t manage it. They can’t budget for it. And they certainly can’t secure it. Without visibility into activity and data, IT can’t identify security vulnerabilities or potential compliance violations. In fact, Gartner estimates that, by 2020, about 30 percent of successful cyberattacks on enterprises will involve shadow IT resources.
Because shadow IT isn’t integrated into the rest of the IT environment, it creates silos of data that are difficult to access and manage. Data isn’t backed up according to standard backup procedures, if at all, which increases the risk of data loss. Applications are often used without proper licensing, which can lead to hefty fines from software vendors. Performance issues are common if certain tools hog bandwidth or aren’t compatible with existing IT infrastructure. Shadow IT can also disrupt business processes, which affects operational efficiency and employee productivity.
Many organizations try to bring the hammer down to stop shadow IT, imposing heavy restrictions and threatening employees with penalties. This approach ignores one simple fact –shadow IT is largely driven by a desire to do the best job possible as efficiently as possible. Malicious intent is rare.
The more productive approach to reining in shadow IT is to understand why employees are turning to various tools and develop an IT strategy that eliminates the need for shadow IT. Are shadow IT tools easier to use? Do they have features and capabilities that make them superior to the solutions currently offered? Also, perform tests to determine if shadow IT tools create an increased security risk.
If shadow IT tools are more effective and no more risky than existing tools, bring them out of the shadows so they can be managed and monitored. Implement a reputation-based system that automatically identifies applications and classifies them as safe or unsafe. If you don’t have a bring-your-own-device policy, or your existing policy is overly restrictive, consider segmenting the network. This will give employees more freedom without affecting business operations.
Verteks can help you choose and implement tools that align with business requirements and offer the capabilities your employees need to do their jobs. Instead of fighting shadow IT, let’s figure out why it’s happening and develop an IT strategy that makes it unnecessary for employees to look for alternative solutions.
