By Tom Cole, Managing Director - UK & Europe at Abacus Group
Technology solutions, both in personal and corporate environments, can be adopted and consumed with increasing ease. Whilst on the surface this sounds positive, ease-of-use can also lead to undesirable and risky consequences within a corporate environment. Before the proliferation of cloud-based Software-as-a-Service (SaaS) applications, restricting software installations onto hard drives was a pretty simple way to deter unwelcome behaviour. Nowadays, an internet browser is the only tool required to consume new services. Employees can bypass IT procurement procedures to access the solutions they need to work or to simply make their lives easier. This problem is known as shadow IT.
What is Shadow IT?
Shadow IT is the practice of bypassing policy and/or controls and accessing IT solutions without the knowledge of your firm’s IT leadership. With the proliferation of SaaS, cloud computing and remote working (due to the pandemic), shadow IT is a growing business risk.
Common Reasons Why Employees Use Shadow IT
- They find authorized software and services to be inefficient.
- They think approved software is unfamiliar or complicated to use.
- They are unaware of or don’t respect risks posed by shadow IT.
- They feel accessing corporate technology remotely can be cumbersome.
Risks of Shadow IT
- Compliance: If an employee opts to use an alternative instant chat tool, which is not approved and thus not archived or nor monitored, your firm would be falling short of meeting FCA, COBS 11.8 Recording telephone conversations and electronic communications.
- Cost: With limited adoption, an unapproved solution may be commercially insignificant. However, if a solution gains momentum amongst employees but not procured at corporate rates through official company policies, the total cost of ownership may become inefficient and lead to unreasonable expense.
- Data Loss: If a thorough review of data resiliency is not conducted, solution issues, successful ransomware attacks and/or general failures could lead to data loss.
- Regulation: Unapproved solutions may entice and harbour PII, which are in regulatory scope (e.g., GDPR and CCPA), thus opening your firm to reputational and financial (fines) risk.
- Cybersecurity: Unmanaged solutions are likely to work outside of corporate controls and technologies, which are inherently in place to defend against ongoing cyber threats. Without these controls, your firm could now inadvertently be open to a significantly weakened defence.
How to Reduce Shadow IT
- Welcome Innovation: Shadow IT means staff are recognizing a better means to work. This could yield better efficiency, productivity etc. This mindset should be embraced. Continual improvement is desirable.
- Implement Governance: Create a structure which encourages innovation but works in line with a defined process to properly evaluate technology solutions holistically.
- Discover: Apply tools and data to understand technology consumption and behaviour within your firm. For example, review web traffic, software installations reports, endpoint reports etc.
- Technology Selection: When seeking out new technology solutions, ensure user experience is part of your selection criteria.
- Educate: Risks associated with shadow IT may not be fully understood or appreciated by your employees. Once they are educated and made aware of the risks and context, employees' behaviour is likely to change.
- Policy Enforcement: Your firm's policy and approach towards technology consumption should be communicated, understood, and acknowledged.
Shadow IT is not a new paradigm; the perfect storm of increased remote working and cloud technology (with instant and easy access) has refuelled this business problem. Whilst the risks and impact on business are high, let's not forget that innovation and progress are desirable. The catalysts which cause shadow IT can be embraced to promote continual improvement for your firm.
