Application Security

What is shadow IT? Why you should care and how you can stop it.

29 June 2018 • 5 minutes

Written by Jordi Kitto

image for 'What is shadow IT? Why you should care and how you can stop it.'

Shadow IT accounts for 30-40% of IT spending and a third of successful data hacks are through shadow IT resources. You would be hard pressed to find an organisation completely unaffected by shadow IT.

What is shadow IT?

Shadow IT is all software purchases and activities within your organisation that have been made without your IT department’s knowledge.

When you find an application that makes your job easier, more efficient, or enhances your business in any way, it is easy to be swept up in the allure of shadow IT.

Shadow IT falls into three major categories:

Of course, you need something like a SaaS cloud services to quickly and easily get the tools you need to be more productive. Serious application security issues arise, however, when IT departments are unaware of the services and applications you and your staff seek out and install without their knowledge.

How does shadow IT happen?

Productivity pressures on information workers outweighs concerns for data security and corporate compliance. If your staff need to share or access data quickly, cloud software allows them to find solutions online in seconds, rather than going through the red tape of IT procurement, provisioning, testing, and security.

Imagine you find a new application that allows you to share and store documents more easily, and it can connect to any email account. Great news, right? But, without consulting your IT director, how will you know if the application is secure? How will you know if the information shared is compliant with regulations? How will the licence be handled?

Bypassing IT procedures, and failing to address important licence and security questions, can be detrimental to your operations.

Is my company affected by shadow IT?

The average company uses approximately 1083 cloud services. Shadow IT accounts for 30-40% of IT spending in large enterprises. With the proliferation of SaaS and cloud-based products, even this may be an underestimation.

You would be hard pressed to find an organisation completely unaffected by shadow IT. Armed with a credit card or browser, anyone can purchase low-cost subscription licenses and have a new application up and running in no time at all. Most organisations have not implemented data security tools to identify high-risk cloud-service vendors.

What’s wrong with shadow IT?

The lack of visibility in shadow IT represents a security gap where file sharing, storage, and collaboration can lead to sensitive data leaks. A third of successful data hacks experienced by enterprises are through their shadow IT resources, but only 7% of this lost organisational is actively hacked. Around 81 percent is either stolen or inadvertently disclosed.

If you have been in the industry for a long time, you probably remember the days when no software could be brought into the business without IT’s seal of approval. Non-IT pros are not schooled in software standardization and integration practises, and don’t understand the constituents and compliance required for introducing new applications.

Technologies that operate without the knowledge of your IT department negatively affect the user experience of other employees. They impact bandwidth, and they create situations in which network and software application protocols conflict.

Here are four ways shadow IT makes your company vulnerable:

Software asset management

Managing procurement of software licenses is already a major challenge for your IT department. Unapproved software makes things monumentally harder, and could mandate a complete audit of infrastructure, along with associated financial and resourcing costs to ensure compliance. The ultimate sanction for using unlicensed software: unlimited fines, legal liability, and even jail time.

Governance and standards

You have likely invested heavily to ensure your company complies with regulations imposed by the government and your industry. This is a huge waste of time and money if your employees are procuring software that does not reflect these standards.

Lack of testing and change control

Managing the cycle of change, testing, and release is complex enough for your IT team; introducing opaque third-party applications makes things monumentally worse.

Configuration management

If your IT department does not have a clear idea of all the applications your employees are using, it is impossible for them to define relationships between systems and users. You risk losing contact with the challenges your customers face.

Managing shadow IT

How do you take action against shadow IT? Start with considering why your employees are not going directly to your IT department with their requirements. Is there too much red tape? Are too many policies preventing communication and reducing rapport?

You can have regular service reviews with your employees based on their abilities, performance, and requirements. If you’ve finished a project, carry out a retrospective with the whole team, and ask about the software tools everyone used (or wasn’t able to use).

Eliminate barriers for your employees.

Gaining a competitive advantage begins with understanding and eliminating internal barriers for your employees, and then understanding the challenges your customers face. Then you can all deliver the best solutions.

Opening communication channels between your IT department and all other staff means there is no reason for your employees to source their own software.

You can look at adopting software that helps open communication and eliminate barriers: low-code platforms, for example.

Fighting the shadow IT war with low-code

Low-code platforms empower all staff. Some low-code platforms provide start-to-finish development. This reduces your dependencies on a collection of third party applications, which dissolves the risks associated with shadow IT.

Using these platforms, anyone on your team can build and maintain business applications workflows, reporting, notifications, and just about anything else a purely hand-coded app could deliver. You’re not replacing developers. You’re applying one tool that eliminates barriers and helps bring your team together.

IT departments can still define the appropriate data policies and user access regulations, but low-code balances more software development to the end-users, you, and your employees.

Codebots empowers you to achieve these results.

With the assistance of a codebot, you can develop your application from the initial idea, through testing, and eventually into deployment. You own all your intellectual property including your source code, and your company’s data is safe, and you’ve reduced your shadow IT risk. You’ve eliminated barriers for your employees by starting to think about low-code platforms.

Jordi Kitto

Written by Jordi Kitto

Software Developer

Jordi developed this very site you’re on right now! And when he’s not working on this site, he is showing off his latest Apple products to everyone in the office, or working on his side hustle