The world today is built around instant gratification. With the swipe of a finger, we summon everything from cabs to dates to groceries to socks to romcoms and more.
It’s only natural that this mindset extends to workplace technology as well. In the on-demand workplace (ODW), employees are far more likely than not to attempt to fill gaps in your company’s tech suite on their own. The idea of submitting an IT ticket, waiting for prioritization, then waiting even longer for resolution, seems as anachronous as (gasp!) leaving a voicemail. Before you know it, salespeople are using their personal phones to fire messages back and forth on WhatsApp, product development is building out its roadmap on a Trello free trial, and marketing is sharing one-pagers via Dropbox.
According to a McAfee survey, more than 80 percent of employees report using so-called shadow IT — hardware and software resources adopted without IT approval. A typical company has 15 to 22 times as many cloud apps in use than have been authorized by IT, according to a Cisco report. What’s more, management teams are shockingly blind to the issue: only 8 percent of companies are aware of the true scope of shadow IT at their organizations, according to a survey by Cloud Security Alliance.
For glass-half-full types, this DIY approach may not seem like such a bad thing: It’s a sign you’ve assembled a group of proactive, self-sufficient, innovative employees seeking out the tools they need to be successful.
True though this may be, shadow IT nevertheless poses significant risks for today’s organizations. A 2016 Gartner survey estimates that by 2020, up to a third of successful attacks on corporations will be on shadow IT resources. Your organization may have the most airtight, state-of-the-art security protocols in the world — but that doesn’t matter if your employees aren’t following them. There are a bevy of problems associated with shadow IT, including data privacy issues, lax password requirements, noncompliance with industry regulations, insufficient backup/recovery, licensing concerns, unencrypted data storage, configuration management issues, and more.
The obvious solution, then, is to issue a blanket prohibition on any software or hardware that has not been vetted and approved by your IT and security teams. Right? Wrong. This kind of draconian IT culture will inevitably backfire, resulting in frustrated, unproductive employees who spend more time job-searching than working. A more nuanced approach may require more time to execute, but will pay off in the long run.
Here are a few steps to take to reduce the risks of shadow IT without stamping out your employees’ sense of autonomy and innovation.
Opening up the lines of communication is key to determining the scope of shadow IT in your organization. Who is using what tools, services, and devices, and for what? What kind of information are they storing or transmitting? Is there a similar resource the company has approved, and if so, why aren’t employees using that instead? Are employees using personal devices for work tasks, and to what extent?
The tone of your outreach can make or break your sleuthing efforts. Make clear that your goal is to understand the challenges your employees are facing, how they’ve innovated to address them, and how IT can better support their efforts. The end result should be better alignment, communication, and outcomes — not punishment.
Talking with your team can go a long way toward helping you better understand the extent of shadow IT currently in use at your organization, but not all employees will be completely candid (intentionally or not) about their habits. This is where a SaaS management tool like Intello comes in handy. With Intello, you can see exactly which apps your team is using (and how much money you’re spending on them). Intello shows you exactly which cloud apps haven’t been authorized, giving you a quantitative view of the scope of the shadow IT problem at your company. The platform can revoke access to any high-risk apps and regularly audits all cloud apps for compliance with data privacy regulations. Intello also has a specific browser extension to stay on top of new instances of shadow IT on a continuous basis (since this isn’t the kind of issue you can audit once and be done with).
While it can be tempting to assume that all unsanctioned software, hardware, and services are a net negative for your organization, the truth is that some types of shadow IT are far more risky than others. Many applications employees adopt on their own are actually highly enterprise-ready, but need to be integrated into the broader organization (often as a replacement for an existing tool that failed to gain traction) in order to meet security standards and configuration requirements. Other services or practices, however, may not be suitable for your organization’s standards and may carry significant risk; address these first.
There’s a difference between blocking all shadow IT and managing risk. You may want to prevent access to particularly high-risk services altogether and/or raise your concerns with known users within the organization. Implicit in any policies you create should be an understanding that workplace technology needs are constantly evolving. Make clear that these policies are intended to live and grow alongside those needs.
That said, it is important to make your expectations clear to employees around which applications are acceptable and how company and customer data should be handled to align with internal and external policies and regulations. Employees should be able to easily access a list of all approved applications and all devices approved for bring-your-own-device (BYOD) use, as well as any applications that are prohibited or require explicit IT approval.
The continued rise of shadow IT is yet another sign that the on-demand workplace is more than just a passing trend. Today’s employees are constantly seeking new ways to improve their work processes and adopt the latest technology. In order to succeed, IT teams must adapt to this new reality — working with rather than against employees to achieve shared goals.