IT governance best practices: what is shadow IT?

The use of shadow IT has risen with the explosion of consumer cloud-based SaaS products. What are the security risks, and why is an effective governance plan part of the solution?

Published on August 15, 2019.

In the past, IT held all the power. If users wanted access to a new product or tool, they had to put in a request and wait for it to be approved.

But the way that we do work is changing. More and more, users are used to working how they want, when they want, with whatever tool works best.

When it comes to overshadowing shadow IT, your best bet might not be trying to beat these cloud-based applications—but rather, understanding how to join them.


What is shadow IT?

Shadow IT is the use of information technology systems, devices, software, applications, and services outside the scope and supervision of an organization’s approved IT system.

Examples include employee use of:

  • USB flash drives or other personal data storage devices
  • Unapproved productivity apps like Trello, Slack, or Asana
  • Unapproved cloud storage like Dropbox or Google Drive
  • Unapproved messaging apps like Facebook Messenger, Snapchat, or WhatsApp

Why are users turning to shadow IT?

The use of shadow IT has grown exponentially in recent years.

A Cloud Security Alliance survey revealed that nearly 72% of IT executives don’t know how many shadow IT applications are being used within their organization.

And less than half of respondents to a recent Forbes Insights report said they’re confident they’re aware of all the technology their employees use.

Nearly 72% of IT executives don't know how many shadow IT applications are being used within their organization.

There are two main reasons employees today are engaging in shadow IT:

  • They want to work more efficiently
  • They know what else is out there

Efficiency

With consumer technology evolving at a faster rate, users are more tech-savvy than ever before.

If employees are unhappy with what IT has to offer them—or they get tired of waiting around for their requests to get a response—they know about other options, and they’ll use them.

“It always boils down to the same thing: if you don’t allow people to create things in the tools you want them to use, or if you put too much friction between them and getting that done, they’ll go use other solutions,” says Microsoft MVP Marc Anderson.

If you don’t allow people to create things in the tools you want them to use, or if you put too much friction between them and getting work done, they’ll go use other solutions.

Microsoft MVP Marc Anderson

The message is clear: employees know how they work best, and they want more autonomy when it comes to getting their work done efficiently.

Quality of consumer SaaS applications

The rapid growth of shadow IT is also driven in part by the quality of cloud SaaS applications available to consumers. Before, users might have been frustrated with IT-approved tools. But they also had less experience with cloud-based productivity tools in general—they had nothing to compare them to.

Today, users can download a messaging app by scanning their face with their phone. They're familiar with what other products are out there, and they know how to use them.

A Brocade survey of 200 CIOs found that 83% had encountered unauthorised provisioning of cloud services—despite the fact that more than one third of respondents said their organizations did not permit cloud adoption without the involvement of IT.

“The reason people use Dropbox to share files is because they don’t have anything in-house to do it,” says Anderson.

If IT-approved systems aren't meeting their needs, users aren't afraid to turn to something that will.

Data governance security risks and challenges

We said it about data sprawl, and the same is true when it comes to shadow IT: you can’t protect what you cannot see.

Not all shadow IT is inherently dangerous, but features like file sharing and storage or digital document collaboration make your organization especially vulnerable to sensitive data leaks.

Gartner predicts that by 2020, one-third of successful cyber-attacks on enterprises will be on data located in shadow IT resources.

Gartner predicts that by 2020, one-third of successful cyber-attacks on enterprises will be on data located in shadow IT resources.

To tackle these types of security threats, it’s crucial that IT admins gain better visibility and control over shadow IT in their organizations.

One way to do that? Embrace the modern workplace mindset.

Cross-product governance

Instead of doubling down, why not cede a bit of control in your environment?

Enabling self-service features boosts user adoption, and in Office 365 that means letting end users provision and manage their own tools.

With the introduction of concepts like Office 365 Groups and Microsoft Teams, Microsoft users are being nudged towards an intent- rather than product-driven approach. Users can collaborate within project-oriented teams, moving seamlessly between products to achieve a common goal.

Implementing a cross-product governance strategy protects the work end users are doing across all products they’re using.

Some governance best-practices to consider:

  • Implement a naming policy
  • Configure external sharing settings
  • Put an Office 365 Groups expiration policy in place

Want to learn more about governance in Office 365? Download our curated guide, Office 365 Groups Governance, for practical tips on achieving a balanced approach to Office 365.

You might also like