What is Shadow IT?
By Allen Bernard, Business Technology Journalist
The problem of unknown and unapproved applications running in your organization will only get worse if you don’t know what to look for or how to stop it.
In its most basic form, the term “Shadow IT” describes the procurement and use of hardware, software, or service technologies such as telecom connectivity, without the knowledge or approval of an organization’s IT department.
While this is a common, everyday occurrence at companies large and small, it is a huge, costly problem for IT and the finance department. In large enterprises, Shadow IT accounts for 30% to 40% of its total technology spending; 83% of employees store company data on unsanctioned cloud services; and, according to Gartner, 33% of cyber attacks will target Shadow IT in 2021. And the problem has only gotten worse since the COVID-19 pandemic began in early 2020 because of the number of people working remotely.
There are two main drivers of Shadow IT: busy IT departments that are spread too thin to deliver the services and applications their organizations need to stay competitive, and easy access to cloud-based applications that can be purchased with a credit card. 80% of workers admit they bypass IT and use unsanctioned cloud services.
Even though the impulse behind Shadow IT may be noble – managers and line of business leaders doing what they can to help their teams meet their goals – the fallout in terms of cyber security incidents, compliance lapses, the accounting and financial impact on IT specifically, as well as the organization at large, can be quite costly.
Shadow IT makes it impossible to understand where technology expenses should be allocated (which has a major impact on yearly budgeting), who is spending the money (and why), what is being purchased, and the business benefit (if any) all of that spending provides.
If the spending bypasses IT and goes against departmental P&Ls, for example, they may end up overpaying for technologies and connectivity services they could have procured through existing IT contracts with pre-approved vendors.
If the spending is wrongly allocated to IT, then its budget is negatively impacted and they get the blame for overspending on their budget. This can lead to animosity (and a lot of finger-pointing) between the business and IT over who should be responsible for the organization’s overall technology spend.
Correctly coding and allocating the expense to IT or the proper department provides visibility into the true, all-in cost of technology, allowing for more strategic budgeting.
In one recent engagement, for example, One Source uncovered that a client had 25% more locations that they did not realize were still active and that they were paying for, causing dramatic expenses in yearly wireline connectivity costs. Because IT was unaware of the spending, it went unchecked as these locations were shut down in favor of new ones.
Cyber security gaps
The lack of IT oversight caused by Shadow IT leads to glaring security holes in an organization’s defenses. A misconfigured SaaS app can expose company data on the internet, free to anyone who knows where to look. In other instances, the service provider itself is not secure – particularly if they are a newer player in the market.
What most users don’t realize when they engage with a cloud provider is they are also engaging with all of that provider’s employees, its third-party network of suppliers, vendors, customers, and partners. This expands the attack surface exponentially as hackers routinely use third parties to conveniently infiltrate the network of their primary target, i.e., your organization.
Compliance with industry and government regulations can also be put at risk. This is particularly true for companies doing business in healthcare, the State of California, or the European Union – all whom have stringent privacy regulations around personally identifiable information and level hefty fines to violators. Not knowing that you are in violation of these regulations will not save your organization from penalties.
How to keep Shadow IT under control
There are three main ways to control Shadow IT. It starts with conducting a thorough audit of the software and services your organization uses. This can be done using automated discovery tools, but you should also talk to your employees directly. Ask them what software and services they are using and make it clear they will not be disciplined if some of those are unapproved by IT. You can also follow breadcrumbs left by helpdesk tickets. They will tell you with a great degree of accuracy what software and services are in use.
Once you get a handle on the degree of Shadow IT in your organization, you need to figure out if you want to keep it and, if so, who should pay for it. Transferring all technology-related expenses to IT ensures IT will regain control of data flows and compliance, but it will inflate IT’s budget and increase their workload.
Lastly, you need to create controls and policies, such as no software or services can be purchased without IT’s approval, and be ready to enforce them. Well-intentioned policies that are either too arduous for employees to follow or too hard to police will be ignored.
At One Source we’ve helped hundreds of clients get a handle on Shadow IT. We can do the same for you. We merge technology, industry knowledge, and a dedicated team of skilled professionals to give our clients the hands-on attention they need. We manage everything for you so can focus on your business, not technology.
Download An Actionable Guide To Telecom Cost Reduction EBOOK
Complete the following to access On-Demand webinar, “The Advantage Of Deception Technology to Detect A Data Breach”.
Complete the following to access On-Demand webinar, “Ransomware: It’s Not Just Delivered By Email Anymore!”.
- What is Shadow IT?
Oct 7, 2021
- POTS Replacement – Waiting Is No Longer An Option
Sep 9, 2021
- The three phases of a successful cloud migration
Aug 16, 2021
- SD-WAN FAQs: Avoid the Top Security Mistakes When Implementing SD-WAN
Aug 4, 2021
- Your Mobile Devices Are Under Attack…Uncover the Top 4 Mobile Cyber Scams and How to Prevent Them
Jul 20, 2021
- Enterprise Mobility Strategy: 3 Things You Need to Consider in 2021
Apr 13, 2021
- Why Mobile Device Inventory Is Critical To Your COVID-19 Enterprise Mobile Management Strategy
Mar 19, 2021
- 3 Factors IT Leaders Need To Include In A Business Continuity Plan That Goes Beyond Just Disaster Recovery
Mar 9, 2021
- 3 Proven IT Tips for No-Risk Technology Upgrades
Jan 5, 2021
- 4 Strategies IT Leaders Can Use To Support IT Upgrades On A Budget
Dec 18, 2020
- Year in Review: 3 Technology Trends of 2020
Dec 15, 2020
- How To Recover Telecom Costs And Fuel 2021 IT Budget
Nov 16, 2020
- How To Uncover Cost Savings In Your Telecom Contracts
Oct 26, 2020
- Beating the Cybersecurity Staffing Shortage: 3 Advantages to Using a MSSP
Oct 16, 2020
- 3 Critical Strategies that Extend your IT Budget
Sep 23, 2020