Five steps to protect from Shadow IT
Shadow IT sounds sinister, like the dark side of IT, but in truth shadow IT often has good motives and at worst it is usually just misguided. Usually, shadow IT is the result of employees trying to do their job better, and using their initiative to solve problems that they perceive as important and neglected by the organization or by IT.
As such, shadow IT is an organizational problem, and typically can be countered by organizational solutions.
Threats of Cloud Computing Multiplied by Shadow IT
Cloud computing is a great potential solution for many applications, but it does have threats that are worsened by shadow IT.
The most serious threat of cloud computing is data leakage. When you are moving data off-site, you expose yourself to additional risks. Not all cloud solutions are equal when it comes to security (just look at the number of “leaky apps” out there to get an idea of how bad the problem can be), and most employees won’t know how to vet an application for security. In healthcare and financial industries, this can be especially dangerous, as you can run afoul of regulations, leading to expensive fines and potentially lose operating licenses.
An organizational threat of cloud computing is that it can worsen departmental silos. By having each department potentially working in different off-site applications that won’t talk to one another, your organization can become like a many-handed Hindu god in which none of the right hands know what the left hands are doing.
There is also a financial threat to cloud computing. Although the entry cost for pay-as-you-go software is low, over time the costs multiply, and with each department potentially paying for separate services, the total cost can be significant, creating a financial drain on your organization.
How to Control Shadow IT Threats
Have Clear Policies (Including BYOD Policy): This is the most important step. If you don’t know how you’re handling cloud computing and shadow IT applications, how can you expect your employees to know how they should conduct themselves? And it’s crucial that you have a BYOD policy. Unless you tell them explicitly, people may think that what they’re doing on their personal smartphones or tablets doesn’t affect the company.
Create a Culture of Respect and Communication: The most common reason people pursue shadow IT solutions is that they think they’re not being listened to and that their problems don’t matter. If you let people know their concerns are being heard and acted on (even if that action is just evaluating solutions they bring to IT), they’re less likely to go rogue.
It’s also vitally important that you foster respect for in-house IT. In many organizations, it’s common practice to badmouth IT or imply they’re not doing their job when problems arise.
Management can’t just talk this talk—they have to model it, too. Truth is that upper management and C-suite people are some of the worst offenders when it comes to shadow IT. Not only does this potentially compromise the entire organization’s data security by increasing risk for accounts with high-level access, it encourages everyone to pursue their own solutions.
Defuse Tension between Cloud Computing and IT: Cloud computing is often marketed as an alternative to in-house IT, and this understandably makes people in IT leery of cloud computing solutions.
Unless you’re a very small organization, you’re likely going to want to retain in-house IT for many reasons. Make sure IT knows that cloud computing isn’t going to replace them, and give them a central role in the selection and deployment of cloud computing solutions.
Deploy Cloud Computing Solutions That Meet Needs: People won’t be tempted to pursue shadow IT solutions if they feel their needs are being met by the company-wide solution. If you deploy a company-wide cloud computing solution with complete functionality, you can remove the demand for shadow IT.
Perform Regular Audits and Empower Auditors: Although cloud computing is wispier than more traditional computing, it still leaves a trail. There are many ways to identify shadow IT cloud computing, such as tracking website and bandwidth usage patterns. It also leaves a money trail. Looking at departmental budgets should show when they’ve engaged a shadow IT solution.
But audits are meaningless unless the people performing them feel free to report what they find. People need to be encouraged to perform thorough audits and know that management is going to follow up on what they find.
Following these five steps should protect your company from the threats of Shadow IT.