Shadow IT refers to IT systems and services deployed by departments other than the central IT department, and implemented without their knowledge.
The cloud has made it very easy to roll out what would otherwise be complex IT projects. For example: an in-house mail server takes careful planning and implementation (not to mention skill), whereas setting up a mail domain using Google or O365 takes very little time and skill.
In order to bypass perceived limitations and delays set forth by internal IT departments, employees oftentimes turn to cloud solutions to solve problems quickly.
There is no shortage of applications and services that can be configured quickly in the cloud, and employees often set up their own solutions for marketing, CRM, accounting, remote access, file storage and many others.
The cloud exacerbates two human biases: One is the Dunning-Kruger effect which states that people often fail to recognize their own limitations and believe themselves to be far more capable than what they really are, in fields for which they are not qualified. The second is that people of high abilities and expertise in one field, often believe that their abilities carry over into other fields.
A recent survey by Gartner revealed that 1 in 5 workers believe themselves to be experts in digital technology.
Cloud projects, like any other IT project, should be planned and executed under the authority of a quorum, usually a combination of departmental, executive and IT staff, to ensure that the project does not turn into a security, public relations or legal nightmare.
Central management and multiple stakeholders with a say in the matter means that the consistency, security and governability of the project is not sacrificed. Without this, some of the issues that can arise out of shadow IT are as follow:
- Data may be fragmented which causes inefficiencies in scale and security. If employees are allowed to open cloud accounts arbitrarily, each employee may have a different set of security standards and different versions of the same data may exist. When spreadsheets and documents are passed around, edited and stored in separate data silos, a versioning confusion ensues.
- There is a high risk of data loss and data leaks without centralized data management. Employees may leave and the employer may be locked out of that data or sometimes not even be aware that the data even exists.
- Shadow IT may incur higher costs for services as some providers have low entry costs then charge higher fees when databases exceed a set limit. This tactic lures users in with free or low-cost services, however once the application use has matured, you can expect higher fees and poor migration capabilities.
- Some employees use shadow IT as job security. If the account is opened using their personal email account, the employer may not have access to the data once the employee leaves. The data may be lost or even taken to another employer.
- Shadow IT increases the probability of uncontrolled data flow, making it difficult or impossible to comply with HIPAA, GLBA, COBIT, FISMA, ITIL and other regulatory frameworks.
Some common examples of how shadow IT can have negative effects on an organization are as follow:
Example 1: A salesperson opens an on-line CRM account and keeps his daily sales activities and prospective customers on it. After he leaves the company, he takes his leads and clients list with him.
Example 2: A graphic designer keeps all her design work on a WD My Book connected to the Internet so she can share her prepress work with the company’s clients. A hacker gains access and erases the drive, and several years’ worth of work are lost (yes, this happens).
Example 3: A marketing employee tasked with increasing brand awareness buys an opt-in mailing list and starts sending marketing emails to potential clients, unaware of laws that prevent SPAM content such as deceptive subject lines, opt-out rules and message identification. The organization’s brand is instead diminished and the organization loses credibility.
As you can gather, the benefits of a quick setup and convenience can quickly be erased by a single incident. For this reason, business managers should create a shadow IT policy that outlines the process required to create on-line accounts.
- On-line accounts should be created only after careful consideration and discussion by a quorum of stakeholders, including the IT department.
- All on-line accounts should use a common security framework to dictate how data should be protected.
- The account administrator should be a central authority using an email from the organization’s domain. Accounts should never be opened using Gmail, Yahoo or any other personal email account.
- Accounts should have a centralized, hierarchical structure and master account instead of multiple individually created accounts.
- The IT department should check the permissions, retention policies, ACLs and other settings to ensure the availability, integrity and confidentiality of the data.
- No account should be opened and operated by an employee without the knowledge and consent of both the IT department as well as the executive/managerial staff.
Employees should never use Oauth to create or sign on to third party accounts. For example, an employee may use their G Suite or O365 account to link to Facebook or Instagram, thereby giving the service provider excessive access and introducing risk into the organization’s systems.