Dealing with Shadow IT

Shadow IT, also known as phantom IT, is a phenomenon that happens when an individual uses unauthorized software or tools to perform company-related work. For example, in the course of project work, a team member may store work on Dropbox or Google Docs, or use a chat tool such as Slack to communicate with contacts outside of the company.

Shadow IT, also known as phantom IT, has grown with the implementation of cloud-based applications and services, the increase in BYOD and, of course, the explosion of remote-work environments. Shadow IT extends beyond work applications to employees’ personal devices such as smart phones, laptops, or tablets, and it's the combination of these things specifically that makes shadow IT a problem.

The main reason why people engage in shadow IT is actually fairly innocent, as it's really so that they can get their work done more efficiently. People seek unapproved software and applications because the current solutions are not meeting their needs. And while posing serious security risks, these new products may also boost productivity giving your company a competitive edge. Most don’t realize that they could be creating a security issue by Skyping from their laptop, streaming movies or games, or using an independent tool for communicating. While shadow IT can help improve employee productivity and drive innovation, it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and gaps in support and configuration.

Unsupported hardware and software are not subject to the same security measures as supported technologies. Basically, if IT isn’t aware of an application, they can’t support or troubleshoot it and they can’t ensure that it’s secure or in compliance with other company software and systems. Typically, when we decide to implement new software or systems, we put it through a great deal of research in terms of security, reliability, and supportability, as well as costs, comparables, and community feedback.

Some practices to help minimize your risk include:

• Educate your team about the dangers of unauthorized IT, and (maybe more importantly) what actually constitutes unauthorized solutions. Most people won't realize they may be creating a security risk simply by using a smart-home product linked to the same device they use to conduct company work. Be implicit on which specific coding, storage, or communication tools are approved and used within the organization.
• Create policies surrounding acceptable use of systems and software, including the manner in which all company information is to be handled and stored.
• Encourage your team to present ideas for a new tool or a discovery that might be better than what is currently used. This will allow the IT team to perform the necessary research into the safety and supportability of a tool and it will give your team the tools that they need.
• Monitor use with questionnaires or audits to help determine any potential security risks or to help discover a new tool.

Shadow IT is not necessarily a negative thing in your company, but it’s not great. It is an indicator that you have gaps in your infrastructure, plus it creates a security risk especially if you have consultants working on their own devices. The best approach to this problem is to embrace the opportunities it presents while recognizing the risks that it may pose.