What is Shadow IT?
There is no doubt that we live in a technological era. To a greater or lesser extent we all make use of technology, on a personal and work level. A limit that many times is not clear. Hence, more and more the organizations’ employees use systems and devices that are not formally approved. This is what is known as Shadow IT.
But what exactly is Shadow IT? Without claiming an academic definition, we can say that it’s the use of some technological element (be it software, hardware or service) outside the organization’s formally accepted policies and practices. Those policies and practices are generally established by the IT department or whoever acts as such, depending on the size of the company. But it is still a practice that occurs in micro enterprises.
Certainly Shadow IT is a problem. Bringing unapproved technology to an organization is a risk. Any activity that involves allowing uncontrolled access to data and files puts them at risk and increases the vulnerability of the entire enterprise network. These threats are on the rise. According to the Entrust Datacard report, Shadow IT will be responsible for one out of every three security breaches in 2020.
The logical assertion that emerges then is: let’s remove the practice. Easy said, difficult, if not impossible, to implement. So why not accept the practice under certain conditions? Below we will analyze some points that will give us clarity when it comes to making a decision.
Does Shadow IT Really Work for Employees?
Clearly. Most of the respondents in the study said that employees are more productive, committed and supportive of the company when they are allowed to use their preferred technologies at work. The problem arises when it comes to following IT policies and processes. These result to the employees’ eyes extremely rigid and slow. So that’s when they take shortcuts that end up being dangerous. The solution? Companies must be more agile when it comes to defining IT use policies as well as providing answers to requests for new technologies’ usage by employees.
Do Employees Need to Know the Consequences of its Use?
Absolutely. As we said before, the use of Shadow IT leads to significant security breaches. Above that, neither the employees know this circumstance reliably nor does the administration clearly communicate to them about the consequences of its use. More, in the Entrust Data survey, 37% of IT employees surveyed stated that organizations don’t have defined measures to take in the face of unauthorized technology use. Therefore, it is important not only to clearly transmit the consequences, but also to promote dialogue regarding the potential problems that the use of Shadow IT can bring. Also, as the consequences for noncompliance with regulations are becoming more and more serious for the company, it must be firmer in highlighting the employee’s inappropriate behavior.
What To Ponder to Make Guidelines?
As an executive or organizational manager, you should bear in mind some of the following considerations when you formulate guidance on Shadow IT:
- What type of software/hardware/apps are employees bringing into the organization?
- Are these elements in line with the IT assets already officially adopted?
- Do they comply with established policies, security processes and compliance rules?
- From where do employees use these elements?
- Can they be channels for the exposure of corporate data to unauthorized third parties?
Should the Entire Organization Follow the Shadow IT Guidelines?
Yes, above all the IT department should lead by example. This is probably where the most violations of internal rules occur. Because of their own smart and curious way of being, those who work in the technical area are the most likely to “test” new technologies, without following the organization’s policies and processes. The top management must also comply with them. The executive, often absorbed in the business (which isn’t a bad thing) uses devices or applications not authorized by mere ignorance. Legislation has increasingly harsh penalties for technological non-compliance; and it doesn’t distinguish between types of employees. The sanction falls over the entire organization.
The Shadow IT is in to stay. With new technologies constantly appearing, its use is expected to increase. Trying to banish it completely would be an impossible task, even bringing greater threats. That’s why we understand that the company must take two fundamental initiatives. The first one is to make its policies and processes more flexible. This will enable the rapid adoption of new technologies. The second is that those rules should be simple and understandable as possible (the main guidelines in a couple of sheets is often enough). And above all, known and practiced by everyone. Tthis way, with a minimum investment, it is possible to improve both the organizational climate and productivity in the company.