Skip to main content

Illuminating the dark world of Shadow IT

Unsanctioned use of easy-to-access, cloud-based consumer technology in corporate environments is posing a significant security threat to UK businesses. As we head towards 2017, it’s an issue that companies of all sizes are going to have to address if they have not already started to do so.

This ‘Shadow IT’ infrastructure has gained a hold in a lot of companies firstly through the proliferation of BYOD (Bring Your Own Device) and more recently because of the growing use of collaborative working tools like Dropbox, Google Drive and Evernote. This is despite the best efforts of IT teams and procurement departments to steer employees toward officially sanctioned, selected and tested software and applications.

But it’s become a bit of a losing battle in many businesses: Most people today, even the less technical of employees, know how to share (or at least access) documents on a virtual drive. It’s most common in instances where employees want quick and easy access to large or complex files such as spreadsheets and presentations. Particularly if colleagues are working across different offices and time zones - or if some of them wish to work on projects while travelling or at home in the evening. If it’s a case of having to apply (and potentially face rejection) for an official secure remote VPN link or just dragging a file into Dropbox or G-Drive, then most people would opt for the simpler, although unofficial, quick-fix.

Workers turn to these non-approved apps because they are familiar, intuitive and generally have simple-to-grasp interfaces. For the most part, employees also have them installed on their own laptops, smartphones and other Internet-enabled devices, which means it’s easy to access shared files when travelling or at home. This familiarity and accessibility means staff can get things done fast, making them feel like they’re helping the company and improving their own efficiency into the bargain.

To support workplace productivity, rather than hinder it, IT departments should be using software solutions that offer the same kind of intuitive ways of working as the unsanctioned Shadow IT. As a starting point, they need to look at the Shadow IT applications that are being used, understand employees need for them and compare the apps with officially sanctioned solutions. Then IT teams need to implement similar tools for employees if gaps exist or if official tech is proving cumbersome and impeding efficiency.

Some of the most common areas for consideration are:

  • Web-accessible features that can simplify authentication, access and use, while also providing the familiar interaction features and efficient workflows that users have come to expect from their own tools.
  • Easy to navigate menus and friendly user interfaces that are responsive but can be tailored to user access rights.
  • Customisable user experience that works well for all levels of employees and can match with individual preferences. For example, offering a choice of different drop-down and ‘inspector’ menus and a choice of display options.
  • Data intensive applications that can offer presentation methods appropriate to the task in hand. For example, providing lists and tables if multi-item comparisons are needed, or icons and tiles to support direct interactions where more direct data manipulation is required.

Most of the time, employees using Shadow IT applications don’t think they are doing any harm and that the apps themselves couldn’t possibly interfere with officially sanctioned IT products or company policies. But all too often Shadow IT apps don’t measure up to corporate standards for data protection and encryption. They can also consume a large amount of bandwidth which in turn can slow the network. In addition, Shadow IT can cause issues when it comes to compliance with data protection laws and sharing data directives. If that wasn't bad enough, the presence of Shadow IT apps on a corporate network dramatically increases the risk of security breaches and data loss that can hurt the company from a financial and reputational perspective.

Going forward, IT departments need to explain the risks associated with using Shadow IT applications to all employees and make clear the potential damage such software can cause to the company, and try to prevent further incidents from occurring in the future. It might be a case that a company’s senior management also need to get involved in this education process, build best practice policies into corporate literature and, most importantly, be seen to lead by example. While education and training on this point is essential, it’s also important for IT teams to be able to identify any future Shadow IT use on the network before they start to cause problems. To do this, we recommend using a flexible, fully-integrated and multifunctional network management solution.

Identifying instances of Shadow IT use should get easier over time as network monitoring tools that can help safeguard the network’s performance, monitor the availability of applications and prevent misuse are continuing to evolve - and even advancing into the realms of bots, artificial intelligence and machine learning.

Right here and now, however, network monitoring solutions that make use of advanced visualisation technology are coming onto the market. The best of these can intuitively map the user experience directly to the environment that the IT team originally created, allowing team members to easily understand irregularities, such as shadow IT deployments, at a high level and then drill down immediately to detailed device information keeping them in front of potential issues.

Despite these advances, as we enter 2017 there will be a whole new set of Shadow IT challenges as the proliferation of BYOD continues and will, to an even greater extent, be legitimised in many companies. How do you stop your CEO bringing their iPhone to work and syncing their iTunes library with a company laptop ahead of their next red eye flight? If you can’t stop the CEO and get them to lead by example, how do put the brakes on similar usage by other employees?

It’s worth remembering that Shadow IT can aid still businesses if it is used in a controlled way. So, when thinking about how to meet the challenges posed by Shadow IT in 2017, companies need to understand that they can’t solve the problem just by deleting the apps. They need to understand why usage is occurring in the first instance.

To do this, IT teams need to cast as much light on Shadow IT as possible and gain visibility of what is happening on their network. To attempt to blank out shadow IT or deny its existence would be to be blind to reality.

Michael Hack, SVP EMEA Operations, Ipswitch

Image source: Shutterstock/Kzenon