Handling Shadow IT
We all like to think that we know best. If we encounter IT issues, and think of ourselves as IT literate people – the kind who can install programmes and know how to use our smartphones – then why would we not be able to fix the issue in front of us? Wouldn’t that save your organisation and its IT department time and money?
In today’s fast-paced working environment, the technology has never before been this accessible and essential to job functions. With this ubiquity of technology at work and in personal lives, it is unsurprising that employees are increasingly confident that they can work independently from IT. Unfortunately, while this feels right in the moment, the reality is that this tragedy of the commons hits employee productivity, and the long term health of the business.
Evidence of this is manifesting itself in employees’ use of tools and business solutions. Gartner estimates that shadow IT accounts for 30% to 40% of IT spending in large enterprises, and a 2016 survey by NTT Communications found 83% IT professionals reporting that employees stored company data on unsanctioned cloud services.
The problems related to such unsanctioned IT activities become clear when looking at their escalating potential. That is, it is difficult to identify them until it is too late. For instance, IT might not notice an employee’s use of an unsanctioned cloud service until after a major privacy breach has caused significant reputational and financial damage. Business discontinuity, data breaches, non-compliance with legal requirements, and unexpected costs all carry potentially huge consequences. Shadow IT is not a small issue in organisational operations, but one which can define the success of digital transformation projects, and impact the working culture of the business.
To handle Shadow IT, an organisation first has to define what are considered “sanctioned” activities and tools. It can then put in place a solution to discover and continuously monitor end-users’ unsanctioned and unwanted software consumption activities through comprehensive data collection and interpretation. Visibility into the entire network, and the programs and practices which are being used on it, gives managers the ability to make decisions about their IT infrastructure.
Force behaviour change
For employers the tough option is to enforce strict policies which limit the range of possible actions and programs on the IT network. For example, setting proxy limitations, removing admin rights or even preventing application execution. This approach essentially aims to set boundaries to force users into compliance. Benefits can include ensuring that all employees are using the same secure software, and are working in ways which are more easily measurable against KPIs.
However, this might not always be the most effective method – process and restrictions can stifle employees’ creativity and disempower them, offering security at the cost of productivity. It is therefore important to find the right balance between restrictions and flexibility in order to allow the business to remain fast and innovative.
Suggest cultural change
More user-centric, this approach focuses on engagement rather than enforcement, through awareness creation and direct end-user feedback. It enables the understanding of user requirements and the communication of the costs and risk associated with unapproved activities before any actions are taken. For example, the use of unauthorised software might be identified, and employers might want to take steps to subtly change user behaviour. With an awareness campaign of non-intrusive desktop reminders users can be informed of the risks and vulnerabilities of the software they are using, and subsequently be prompted for feedback and recommended alternative compliant software.
Visibility into your whole IT infrastructure is important as it gives you the options you need to run your business according to your priorities, and the specific challenges you face. Employing softer methods of continuous monitoring of the IT network, and engaging your users means that your business can have an active conversation which constantly improves the health of the business and the internal culture.
Alternatively, a firmer approach may suit businesses which need a controlled approach, especially for their purposes of security or compliance.
They can not only know the who and where of shadow IT activities, but also the why, to pave the way for improvement in employee communication and happiness, as well as overall business well-being.
Andrew Smith, UK Sales Director, Nexthink