What is Shadow IT and why do you need to know about it?

The term shadow IT has received praise as an efficient approach to cloud-based productivity and criticism as the number one security threat facing modern businesses. However, what exactly does it imply?

In its simplest form, shadow IT refers to the process of using IT systems, devices, software and services without oversight from the IT department and often in opposition to official IT policy. At its most complicated, shadow IT is the set of informal policies, practices, and workarounds that an office culture uses to bypass its IT department.

At their best, shadow IT practices can make employees more productive: they can get on with their work while taking minor shortcuts. They can bypass complicated security or approval procedures that would have them sitting on their hands or filling out forms explaining why they need something rather than just doing it. It evokes the good parts of the startup mindset and the kind of unregulated environments that gave rise to many of the greatest triumphs of the modern era.

However, most corporations and even moderately sized companies try to eliminate these unregulated practices for very specific reasons. Circumventing the policy always presents some risk, unless the policy really isn’t fit for purpose.

In a way, one could say that a company needs to completely rewrite its official IT policy when shadow IT practices are good for business. Likewise, where shadow IT practices are actually more trouble than they’re worth, your IT policy is likely to be sound. The difficulty comes in the gray areas, as always. Most of the time, things won’t be as black and white, and it becomes a war of perspectives.

The purpose of shadow IT is to take shortcuts. Most employees who will admit to using shadow IT say they do it to be more efficient in their jobs. An RSA study found that even 11 years ago, more than one in three employees believed they needed to work around company security policies to perform their duties to expectations.

Maybe the approved, safe and secure file sharing app will underperform the newest, shiniest and most security dubious file sharing app. Some of your employees will start using the new app. If it causes immediate problems, IT will usually step in and stop it. If the new app really works well, it may slowly become the system that everyone uses despite the policy. It has become part of the shadow IT of that organization.

When the majority of employees in a department are any combination of young, highly intelligent, highly motivated to succeed, and/or recklessly confident in their own brilliance… well, the idea that the rules are for other people can become part of the culture.

Can this type of culture hurt your business? Absolutely. Suppose the file sharing app has a subtle flaw. It’s not a Trojan horse for hackers or anything, but it keeps track of traffic on a server in the cloud… somewhere.

Maybe that server is not very well protected. Maybe anyone who really wants to can access everything your most tech-savvy employees message each other. Let’s assume they can use that to hack into your systems or disrupt your operations in some way.

Perhaps the IT department’s insistence on using the boring, old, secure file-sharing app was the right move.

On the other hand, sometimes cutting corners works. Sometimes your people need a new solution to a problem right away, and they can’t wait two weeks for IT to decide if the provider is as secure as they claim. Sometimes the cowboy approach can get a prototype service up and running in a few days and make a big sale. You can do all the care and due diligence later before it goes into production.

Sometimes IT really needs to step back and allow some corners to be cut, especially in non-critical areas. Even the best manager knows when to turn a blind eye to a policy that is being circumvented.

Simply put, the rules are there for a reason. Taking shortcuts exposes the company to risk. It may be a small risk that you can easily clean up. But it could be a very low chance of destroying everything. If that happens, the one thing everyone will want to know is why you didn’t enforce the policy that could have prevented this disaster.

Most companies would not be happy with employees deciding for themselves which risks are serious and which are trivial. That’s why IT policies were invented in the first place. You allow it to be circumvented at your own risk.

The best way to reap the most benefits of shadow IT without exposing your business to the worst of its risks is to make sure IT has a light hand. Not the velvet glove that hides the iron fist, but a truly light hand. If they’re not seen as the funny police, then your IT people are more likely to be included in what your people are actually doing.

Shadow IT isn’t all bad; it’s more dangerous when employees keep it a secret from IT. If the people you hired specifically because they can spot a dangerous IT risk much more reliably than anyone else in the office can see what’s really going on, then they’re much more likely to be able to do their real job: actually stopping things. bad, while allowing really harmless corner cuts to continue.