Shadow IT carries with it some huge risks, and—if not taken seriously—can come with consequences. At the most basic level, the possibility of your unknowing of an entire environment creates a significant gap in coverage in your security portfolio, or you may not even know that this environment exists.
To better understand shadow IT, let’s start with a hypothetical scenario:
Jon is the collaboration manager for XYZ Corporation. Sally helps direct the IT portfolio, determining what products the company should and should not use. After some research and cooperation, Jon and Sally agree that using Microsoft Yammer is an excellent social tool to help break down organization silos and encourage information sharing.
Months go by and Yammer gets good use in certain areas of the company. Meanwhile Derek, in Sales, decides that Slack has some functionalities that would help enhance his productivity. After seeing how easy it is to create a Slack team, Derek, along with his sales team, starts using this alternative platform without the approval of Jon or Sally.
This Is Shadow IT.
Jon and Sally don’t know that Derek has implemented this new platform within his team, and it comes without the controls and safeguards that the other approved applications in the IT Portfolio have.
Situations like this can raise further questions such as:
Why does this matter?
Other collaboration tools may be more beneficial, so why don’t we let our employees choose to use one that might be faster, better or cheaper?
What’s the big deal, if they can’t do any harm?
This guide will help navigate some of the risks associated with Shadow IT, and how to make the most of these situations when they arise.
Why Does it Matter?
Any time there is an unendorsed technology solution, there is a significant gap in your security portfolio.
This becomes an even bigger problem in regulated industries. What if Derek were to upload his client contacts and later move to a competitor? No one would be aware, and this could eventually cause serious damage for the company.
Other Tools May be Better, Faster or Cheaper—So Why Shouldn’t Employees be Allowed to Choose the Platform They Prefer?
Unfortunately, Jon, the collaboration manager now has two social environments to maintain and must work twice as hard or else the company may need to hire extra resources to handle this second environment.
If your company adheres to PCI, HIPAA or GDPR compliances, these regulations become even more of a burden to bear due to these rogue and unmonitored systems potentially violating these governance policies. Not to mention that unendorsed 'shadow' applications will more than likely become business critical but also lack business critical requirements such as high availability, redundancy, and disaster recovery.
What is the Big Deal, and Can it Really Do Any Harm?
While Derek’s intentions were not malicious—he can still do serious harm to his company and his fellow employees:
GDPR non-compliance can range from 4% of your company’s global revenue or €20 million, whichever is greater.
These regulations exist to protect consumers, and Derek may be inadvertently harming consumers or his coworkers by using unapproved software.
Where to Go From Here
For one, understand what software your employees are using. Listen to them and survey them; understand what works and what doesn’t. If they are using an unendorsed 'shadow' collaboration platform, then assess and understand how to make them successful within the organization. Don’t scold or penalize them. Once an application is brought into the organization’s IT portfolio, make sure it’s treated with the care that your other production applications receive.
Staying ahead of shadow IT often can feel like a game of whack-a-mole. You handle one application, then another pops up.
There are many ways to stay on top of shadow IT, but one solution is by pairing Wiretap with the platforms that people want to use—giving your employees the tools to collaborate effectively and securely.