Shadow IT is a growing problem, especially with the emergence of the cloud. Users can easily obtain cloud services simply by filling out a form and entering a credit card number. In fact, Gartner estimates that shadow IT comprises 30 percent to 40 percent of IT spending, while Everest Group research found that more than half of IT spending is tied to shadow IT. Of course, it’s virtually impossible to measure the full scope and cost of shadow because users aren’t going through proper channels.
Shadow IT comprises any technology, application or service that is used without the approval or knowledge of the IT team.
For example, if an employee uses Dropbox to share files without going through protocols for requesting, acquiring and using such applications, this would be considered shadow IT. Even an employee-owned smartphone is part of shadow IT if the device hasn’t been approved for work use. Shadow IT can also include popular services like AWS and Salesforce if subscriptions don’t go through the IT budget.
The reasons users turn to shadow IT are straightforward.
If users perceive the organization’s approved tools to be inadequate and discovers other tools that can help them be more productive, they’ll replace what they feel is not working with something better. Going through the process of making a request and awaiting approval, which may never come, is more of a hassle than it’s worth. Employees also prefer to use familiar, easy-to-use tools that are compatible with their devices, whether or not they’re approved by IT.
The term “shadow IT” has a bit of a dastardly connotation, but many of the tools aren’t inherently dangerous, and employees are rarely acting with malicious intent. They just want to find a better way to get their work done.
Problem is, users either don’t know or simply ignore the risks they create in the name of convenience. Gartner estimates that about one-third of successful attacks on organizations will be carried out through shadow IT tools. That’s because IT doesn’t have visibility or control of unapproved tools and services, which leads to security gaps that make systems more vulnerable to attack.
Beyond security risks, shadow IT can cause performance issues when certain software isn’t compatible with core IT infrastructure. More tools competing for bandwidth can also create connectivity issues. If IT doesn’t know a tool exists, they can’t back up the data used within that tool, which increases the risk of data loss. Data becomes siloed and, therefore, more difficult or even impossible to manage and monitor. Additionally, many shadow IT tools don’t meet regulatory standards and could lead to unpleasant surprises during a compliance audit.
You may never eliminate shadow IT, but there are ways to rein in shadow IT and limit risk while keeping employees happy.
What shadow IT tools are being used and why? Do they present a security risk? You may find that your employees are right, and your organization should be offering something different. Evaluate shadow IT tools and see if it would make sense to bring them out of the shadows. Explore new tools that would deliver similar benefits with less risk. Also, consider segmenting your network so that employee-owned devices and tools won’t affect business operations.
ICG can also help you leverage the cloud to create an IT environment that makes employees less likely to turn to shadow IT. Let us show you how to offer tools and services in a way that’s more flexible, more accessible, and more aligned with the needs of your employees.