What is Shadow IT?
7th September, 2020
Have you come across the term “Shadow IT” before and wondered what it is? Even if the answer to that is “No”, you definitely need to be aware of it and the implications for your business.
So, what is Shadow IT?
It is a relatively generic term, referring to equipment, applications or operations used in your business, but sitting outside your approved and recognised IT estate.
What that looks like in reality could be one of the following…
The PC sitting in the corner running a package that you thought you had replaced years ago, but Ted in Accounts prefers the old system. It might be that a small department have decided to use an unauthorised but free file sharing solution because they don’t like the security restrictions set up by the IT department. It could even be that your procurement process for hardware or software is just so cumbersome everybody has chosen to bypass it.
And that’s before we mention one of your fellow directors who has decided to use his home computer to produce the highly confidential reorganisation report…
Why does this happen?
Most commonly, staff, with the best of intentions, are looking to just get the job done. They want the quickest and simplest way of doing things, without appreciating the bigger picture, or the implications.
Why does it matter?
The biggest issue is the lack of clarity around where your data may be stored. Equally, there could be parts of the business reliant on software that is not properly licensed or supported. Picture your need for an urgent finance report, only to discover that it’s on unauthorised software, created by a user on leave and you have no clue how to access it.
Couple that with the possibility of old hardware that could be using out of date operating systems that are no longer supported.
And that’s before you get started on data protection, data privacy and intellectual property issues.
So, what can you do about all of this?
Whilst you could offer your staff an amnesty – asking them to confirm any unauthorised software or systems that are being used, it’s not an ideal solution. If you chose this approach, you would need to make it clear that there were no disciplinary consequences for them doing this, as you would want to achieve full visibility.
If you did choose this approach, we suggest talking to staff about why they have chosen specific apps, as you may discover that what they have found is a better solution than the current company approved one.
Having a strict policy which clearly lays out rules and guidance is one way of stopping any employee from downloading software or applications that are not company approved. In fact, you could restrict all users from having the admin rights to do this – leaving it to the designated IT person.
In practice, none of our customers take this approach. They all find it too cumbersome and too restrictive.
Ultimately, there has to be a balance between protecting the company’s assets and enabling staff to do their job.
One of the ways we often overcome this is by setting up a separate admin account. Logging in using this account enables staff to download the software or application, but doesn’t leave the door open for a hacker to access email or data, or infect the IT with a virus. Once the app is downloaded the staff logout and go back to their own user ID.
Our helpdesk software is set up to constantly monitor our customers’ hardware to check for any vulnerabilities. Likewise, we are able to ensure all of the software is updated to the latest version, and highlight any issues or risks. This is done on a continuous basis, with us often identifying and fixing problems before the customer is even aware.
When we start working with a new customer, we would carry out a full audit to identify any potential issues before we undertook any development or support.
If you would like to find out more about the risk of shadow IT and how to mitigate risk in your business, please call us on 01784 437 123.