View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
November 18, 2016

Locking down shadow IT in the enterprise

What is shadow IT? Why should I worry about shadow IT? How can I deal with shadow IT? CBR gives you the answers to these questions you may be asking yourself.

By CBR Staff Writer

What is shadow IT?

Shadow IT covers a range of issues in enterprises from people connecting unauthorised mobile devices to the company network to department heads making big purchasing decisions about cloud services. What they have in common is that they’re happening without consulting the IT department.

Flexible working is a good thing of course but letting everyone decide what technology to use brings its own problems.

In a world where Bring Your Own Device is increasingly the norm a degree of shadow IT is inevitable for most organisations.

Don’t be fooled that this is just about millennials – it’s just as likely to be a techno-phobe MD who wants to email access on his iPad

Technology vendors say that an ever larger percentage of their sales are now coming from  elsewhere in the business than the IT department.

As people use more and more technology in their personal as well as their business lives so they feel qualified to make purchasing decisions which they would once have left to the IT department.

None of this has to be bad news. And you need to think about why it is happening. Sometimes IT departments can be seen as slow, restrictive and unhelpful which leads parts of the organisation to look for other ways to get what they want.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

If end users are not happy using the applications you provide then simply trying to stop them using alternatives will not work.


Why should I worry about shadow IT?

There are several ways that shadow IT can cause problems for large organisations.

The first and most glaring is security.

If staff access enterprise email systems on their mobile phones or home computers they shadow ITcan easily provide a possible attack vector for hackers.

A basic premise for securing a network is knowing what is connected to that network.

Equally staff using their own devices might not be keeping your company’s, or your customers’, data safe. That is an issue which regulators are taking increasingly seriously and one for which the IT department will still get the blame in the event of a data loss.

There are strategic and cost implications too.

If individual parts of the business are all buying similar cloud services from different providers there is a good chance they’re all paying more than they need to.

If they’re using free services there might be other risks in terms of data security.

Equally they might well be creating inter-operability issues or problems with other back-up systems which they’re not aware of.

Individual departments will not be taking a strategic view of the services which they’re buying which a central IT department can do.


How can I deal with shadow IT?

The first thing you need to do is to understand why people in your organisation feel the need to go directly to external providers.

What functions are they getting from third parties which your IT department is not offering? This might be a difficult process but to solve the problem means addressing what isn’t being done well enough. This might be a single business application which isn’t doing what those on the front-line need it to do, or it might be a broader issue.

But there are positives too. Shadow IT means people in your organisation are thinking about technology. They might even have found some excellent suppliers or helped speed adoption of a new technology which could have big benefits for the rest of the organisation.

It means that somewhere in that department someone has spent the time to precisely specify what application or service is needed, and found a supplier. Getting that person on side will give you the information you need either to bring that service back in-house or to find the right external provider.

Cloud applications are the biggest driver of shadow IT, so the second way to control shadow IT is to get the right, secure cloud applications in place.

But finally you do need policies in place to make shadow IT safe.

This means educating staff about the dangers of using mobile devices to access corporate services or data and of the risks of insecure cloud services.

If they need mobile access to the corporate network then they need to be trained to do it safely.

Getting back control of all departments external deals might be impossible but at the very least try to get the chance to offer internal alternatives.

Finally you need to explain how you can help with future arrangements and the dangers inherent in every department going it alone.

In the end it is about carrot as much as stick.

Especially if senior staff are involved the only way to stop shadow IT is to offer better services internally.

Providing the services that staff want, in the way that they want them, is the only way to stop them looking for outside help.


Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.