Imagine this scenario: You are the CIO of a major insurance company. News breaks that there is a serious security flaw in a popular freemium CRM system, allowing for the theft of customer information. No worries - you have never installed or used the software.
But unbeknownst to you, somebody in your company actually has installed and used it for customer information, so now you're on the hook to cover any security leaks.
What is Shadow IT?
The scenario above depicts is called "Shadow" or "Stealth" IT. It ranges from an impatient employee installing a piece of unapproved software to a business division choosing to use a niche solution from a third party provider, independent of corporate IT. It also includes employees using their personal Dropbox to store files because it's more convenient.
However, there are a number of problems with Shadow IT:
Security. The unapproved software may not meet the rigorous security or quality standards applied by corporate IT. As in the example above, you may find that somebody has installed software that turns out to have a security hole in it.
Compliance and privacy. Let's say you're a healthcare company, and one of your analysts is storing HIPAA controlled data on their own Google Drive account. Documented standards may not be being met.
Crashes and problems. Unapproved software can conflict with other software, causing server and network problems and even crashes. IT can do tests before approving the installation of new software and new updates. Shadow IT software may be on automated updates, increasing the risk of an upgrade breaking something.
Support problems. IT help desks may not know how to support the software or hardware concerned, resulting in increased downtime, wasting IT time as they study the problem, and possibly leading to data loss.
Illegal copies. In some cases, employees may install pirated or illegally copied software, and there may be no way to prove that the illegal copy was not installed by the company.
Viral infections. Moving files between home and personal computers can sometimes result in an increase in viruses.
Redundancy. Shadow IT can waste money if individuals or groups are purchasing software that the company already owns.
Cracking Down on Shadow IT...
The obvious reaction to these problems is to prevent the use of Shadow IT. Companies have resorted to such methods as auditing software, including software on personal devices, remote wiping people's phones and locking employees from being able to install software on company computers. The issue with these policies is that they can cause resentment. Examining personal devices that are also used outside of work is an obvious privacy concern.
Some companies have also forbidden employees to install certain apps on their own phones, or installed spyware. A few large companies have locked both company-provided and even BYOD devices to a company app store, denying access to the public Android and Apple stores altogether. This has led to some employees being paranoid enough that they feel obligated to purchase a second phone, or avoid bringing their phone to work at all, which defeats the point of a good BYOD policy. Restrictive policies can also set IT up as "the enemy" and make it less likely that employees will seek help with their technology when needed, which can also reduce productivity.
So, while Shadow IT is a significant security and productivity risk, going overboard in banning it can result in your workshop starting to look like 1984. Employee resentment lowers productivity and, of course, increases turnover. As a result, most companies are now trying to find a balance, which includes transparency, educating workers about the problems that can be caused when they install an unapproved app, reasonable computer use policies and less monitoring.
...Or Embracing it?
There is, however, another approach. Shadow IT happens for a reason, and while it is better that everything is kept aboveboard, some companies are now finding that embracing Shadow IT is the real solution. There are, in fact, a number of ways to make stealth IT an asset rather than a liability.
Determining needs. People install unapproved software for a reason. By finding out what people have installed by, say, auditing desktops or asking IT, you may find that you have a software need you are not meeting. IT can then address this with a solution. This solution, ironically, can be the same software the employee already installed. In some cases blocking unapproved applications can mean that you are blocking the best applications for the problem.
Educating employees. Allowing people to look for their own applications demystifies the entire process. A more technologically savvy workforce knows their needs and can work with IT.
Finding out what's popular. The service catalog can simply be expanded to include popular shadow IT applications. If those applications have security issues then you can instead educate workers on why they should not use them.
Promoting collaboration. Smaller companies may choose to essentially fold shadow IT into corporate IT, by making it easier for employees to request the software they need and promoting collaboration. IT may know what is "safe" to use, but they may not always know what it working well for the team. Using so-called Agile techniques where decisions about software can come from any level in the company makes the concept of "shadow" IT obsolete.
Working with vendors. Larger companies can check what employees are installing and then go to those vendors to help them come into compliance with security and other concerns. This benefits the vendor with increased sales and the company with security.
The Future of Shadow IT
All of this requires that a company knows what employees are installing. This can only happen if employees are not afraid to admit to having installed an "unapproved" application. Overly restrictive computer policies and threats of termination force people to be even more circumspect about what they are doing. Instead, companies should make things more open and transparent and build an environment where employees are more willing to say "Hey, I found this great app, IT should take a look at it."
Embracing Shadow IT is accepting how the world works. With cloud storage and cloud applications, it is much harder for companies to enforce acceptable use policies without breaching their employees' privacy and even that of their families. It is much easier for employees and team leaders to install the software they choose without going through IT. In the future, there may well be no concept of shadow IT versus corporate IT. There will only be methods for finding the software that works best.