Flexible and remote working was already a trend on the rise, but against the backdrop of COVID-19, it has had to accelerate rapidly, Alex Dalglish, Head of Future Workplace, SoftwareONE.
Now, in the space of just a week or so, an increasing number of us are working from home and, as a result, are not attached to corporate networks or work-issued devices. There will likely be some long term benefits from this ‘thrown in the deep end’ shift to remote working, but companies will also face challenges – Shadow IT being a key one of them.
Users know how to change settings on desktops, apps and mobiles, and are confident in choosing tools and systems that match their preferences. If a user encounters an issue without a clear, IT-sanctioned solution, they won’t hesitate to find a remedy that can be implemented without involving the IT department. But these unauthorised programs and systems, known as Shadow IT can create a series of risks for organisations if left unchecked. It’s integral that organisations now take steps to manage these risks effectively.
Shadow IT: The ‘whys’
The employees of today are becoming increasingly tech-savvy. If a user feels that their business’ IT is holding them back, they will readily turn to systems and processes they are familiar with and that better support their productivity. Poor coordination between IT and the wider business can also cause employees to take matters into their own hands, particularly if they feel it is a hassle to go through IT or if they are unclear on what IT have to offer due to poor inter-departmental communications.
Customers and partners can also influence the growth of Shadow IT. If an organisation’s systems are incompatible with programs used by external companies and customers, frustrated employees may independently find other solutions to ensure they can continue to get their jobs done smoothly. To the user, these ‘shortcuts’ may seem essential to effective working but for businesses, they create a series of risks that must be managed. SH(adow) IT happens and always will – but with proper planning, IT teams can pull their organisations’ software assets out of the shadows, for good.
Shadow IT: The risks
One of the key risk areas opened up by Shadow IT is security. Without visibility over which systems are being used, IT departments are unable to provide the necessary security updates and patches for these disparate systems. We need only look to the 2018 WannaCry attacks to understand why up to date patching is so integral to protecting organisations from attacks and breaches.
Financial risks also pose a risk. If the IT department does not know of solutions being implemented outside of their jurisdiction, they could easily make errors in budgeting, based on user consumption. This, in turn, can lead to investment in products that aren’t being used, overlooking others and even missing opportunities for discounts. Organisations must be aware of compliance risks as, without the guidance of the IT department, it’s easy to become noncompliant with regulations such as GDPR. So, what can organisations do to manage these risks?
The truth is, it’s nearly impossible to eliminate Shadow IT altogether and in many cases, it’s not a good idea to do so; it has the potential to bring innovation as employees may discover a new, more efficient tool or process. And as the enterprise world looks to remote working to support employees during the COVID-19 pandemic, companies should be embracing more flexible ways of working – not restricting them. However, Shadow IT still needs to be managed, and there are steps organisations can take to help gain insight into the IT their employees are using.
Taking stock: Every organisation’s Shadow IT is unique. Businesses must carry out regular inventories of their environment to shed light on exactly which non-IT sanctioned software is in use by employees. Anything acquired outside of the IT-sanctioned process must then be deleted or made safe by the IT department.
Analyse: Once inventory has been accounted for, the greatest areas of risk will need to be identified. This will mean enlisting the help of departments outside of IT such as Legal, Compliance, and Data Privacy teams, to identify where employees are most likely to ‘go rogue’.
Plan and execute: With the areas of focus identified, organisations can then build a plan of action. This will look different from business to business, however there are several key steps. Making sure that easy to use processes are in place for employees to request software or apps is essential, as is setting up easy access to what’s on offer through a comprehensive service catalogue.
Maintain: Continuous monitoring of the environment is also needed, so potential risks can be promptly acted upon. This is typically a combination of people, technology and processes. Ensuring continuous education of employees as to the risks and consequences of Shadow IT will be pivotal in turning back the tide.
With so many options at their fingertips, employees can hardly be blamed for deploying new technology solutions that they feel better meet their working needs. However, when this is done outside the knowledge of their IT departments, organisations are being left vulnerable to security, financial, and compliance risks. Organisations should instead seek to understand why shadow IT is being used within the business, and look to address the needs of users – balancing convenience and risk, with governance, security and compliance.