Shadow IT is the villainous name given to any IT system or solution used for business purposes that are not explicitly approved by the IT department. It’s not quite as chilling as the “Shadow Monster” from Stranger Things (this shadow won’t trap you in the Upside Down) but it can strike at any moment and when it does — the fallout can be a living nightmare for IT management. I’ll do the math for you:
Average cost per compromised record (globally, 2018): $148
Average number of breached records per incident (2018): 31,465 records
Average total cost of a data breach in the US: $4,454,820
Just How Bad Is Shadow IT?
According to Forbes, 71% of employees are using apps that are not sanctioned by IT. CSO reported that over 50% of enterprise application consumption is uncontrolled or unaccounted for. Mobile Business Insights sheds a little more light on the issue, stating that — across 20,000 cloud services in use today — only 8.1% meet strict business security requirements. And for the grand ﬁnale; Cisco predicts that by 2020, Shadow IT will be to blame for one-third of successful security attacks. Despite your best efforts to protect your organization, the “kids” are still taking candy from strangers.
Why Shadow IT Keeps Throwing Shade
Employees are lured to the dark side by the growing sophistication of consumer applications like Dropbox, Evernote, Slack, and Skype. These applications are easy to access, simple to use, and effective at helping them with daily tasks like sharing ﬁles, taking notes, collaborating with co-workers or managing projects. Telling them not to use these widely available applications is perhaps not an option. So what can we do?
Bottom line; the world runs on SaaS and as long as that’s the case, Shadow IT will continue to lurk in the recesses of your infrastructure.
The use of shadow apps isn’t entirely bad (think Magneto from X-Men). SaaS applications DO help employees become more productive. They also take pressure off of IT help desks (it’s the provider’s problem now, suckers!). However, your IT department is still on the hook for compliance and security, which means they have no choice but to play the bad cop. The situation is a classic catch-22; IT leaders block applications to safeguard the organization, but doing so irritates employees and encourages them to seek other SaaS solutions that may not be as mainstream and secure.
The Fix? Shed A Little Light on The Problem
The best way to shrink and contain shadow IT creep is to embrace its darkness. I’ll show you how in 5 simple steps.
Step 1. Accept The Utilization of Shadow IT Solutions
Risky, I know, but hear me out. Shadow IT is here to stay. Lay down your arms, and you might just open up and encourage communication about what applications your employees use and why. This insight will help you circumvent “off the radar” activity and at the very least, regulate the solutions employees choose to use. You may even be able to provide better, safer solutions that your employees expressly want and need.
Step 2. Organize and Analyze All Active Cloud Services
Sanctioned or not, every tool and resource your employees use to perform their jobs must go on a list for sorting. Next, organize each solution into categories such as “ﬁle sharing”, “collaboration”, “management”, etc., to analyze utilization patterns. This will help you identify where employees need the most support.
Step 3. Perform A Risk Assessment And Make Cuts
Examine the risk level of each solution as it relates to data, business, and legal. If the solution can’t be regulated to comply with your IT department's security standards and policies — cut it. If it can be regulated, let them have it! With proof, reason, and a little leeway, you can neutralize employee frustration and avoid rousing a torch-and-pitchfork mob outside your office.
Step 4. Consolidate Applications
The average organization uses dozens of similar solutions for activities such as ﬁle sharing, communication, and management. This degree of redundancy can actually impede collaboration and complicates the handling of important company data. In many cases, it makes more sense to ﬁnd an all-in-one solution to replace your barrage of applications and meet employee expectations for simplicity and utility. All-in-one software solutions centralize data, standardize processes, and provide incredibly intuitive, custom set-ups for everything from helpdesk, time tracking, and invoicing to project management, asset management, and data reporting.
Step 5. Reevaluate Your Security Strategy
Just like the risk assessment you performed on employee resources, do the same for your own. This includes an overview of ﬁrewalls, proxies, monitoring software, web gateways, etc. Also revise policies such as access controls, data loss prevention, and encryption.
Ultimately, your goal is to light shadow IT up! You can’t control what you can’t see. While you’re at it, prioritize employee education about shadow IT. It’s a do-or-die marketplace, and even with a robust suite of applications tailor-designed just for your employees, they will still arm themselves with any additional tools and resources they need to survive, regardless of the risks.
In the event of a breach, does your organization have a disaster recovery plan? Check out this article, download the free PDF Disaster Recovery Plan Checklist, and start safeguarding today!