Shining a Light in the Face of Shadow IT

What is Shadow IT?

Shadow IT, or Stealth IT, is a term that refers to technology used within a business without the knowledge or authorization of the IT department. At first glance it might seem underhanded, but a lot of employees use Shadow IT for perfectly innocent reasons. In fact, you might be utilizing Shadow IT without even realizing it. Perhaps you were frustrated with how long it was taking for an awesome new interoffice chat method to be approved, so you decided to just set it up in the meantime. Or maybe your tech-savvy deskmate decided to automate a part of their process without going through the proper channels. There are countless reasons why employees might utilize Shadow IT, and it is rarely ever for nefarious purposes. It can even be beneficial for businesses, helping users such as yourself become more productive.

Is Shadow IT Good for the Workplace?

Utilized properly, Shadow IT can be a very good thing in the workplace — when employees encounter issues and areas of inefficiency, they come up with creative solutions to the problems. It’s a lot like having a second IT or development team, and many departments create systems that become critical to the success of their projects. But unfortunately, many employers fail to see the benefits. Rather than supporting the unofficial systems put in place, and finding a way to safely incorporate those systems, employers focus on how to get rid of and replace the systems that are already working, simply because those systems were not authorized.

Are there any Shadow IT Security Risks?

Shadow IT will always persist in the workplace, and failing to embrace and properly manage the unofficial technology systems can lead to security breaches. The unofficial systems employees embrace might be incredibly beneficial, but as long as those systems are under the radar there is a lack of visibility and control over network elements. This lack of visibility and control can be especially dangerous because many Shadow IT solutions are not as private or secure as systems that have filtered through the official IT department.

Shadow IT cannot just be eliminated from the workplace — it will always be there in the background, so it needs to be properly recognized and managed. If you are aware of Shadow IT in your workplace, take initiative and work with leadership to properly harness the unofficial technology. We have three tips you can share with the people in charge to help legitimize the use of Shadow IT, and keep the workplace running smoothly.

How to Manage Shadow IT

1. Embrace the technology. Switch the focus from the unauthorized nature of the IT, to why employees began using it in the first place. Create process maps to get a good picture of data movement. What are the benefits of the IT in use? Why is it better than what was previously available? Can we incorporate it into our approved IT?
2. Promote safer services. If employees have set up personal file-sharing accounts with a site, can you redirect them to a corporate file-sharing app in the cloud that can become part of your new data structure? Rather than shutting access down (which often leads employees to search out other, possibly riskier, alternatives), can you provide a security-centric choice that offers the same benefits?
3. Reward employees for reporting red flags. We’ve found this strategy works best for getting your workforce involved in a corporate culture of cybersecurity. Rather than reprimanding what looks like rogue employees, find a way that works for your company to reward those who bring security concerns to the attention of the IT team. Then work together to create the solution.

Shadow IT is extremely common in the workplace, and using it correctly is important to maintaining strong cybersecurity. For additional ideas on how to do this, we have seven strategies you can implement from another recent blog post. Since OpenVPN’s cyber hygiene study, which revealed a lot of detrimental cybersecurity habits by employees, we’ve been focused on spreading the word on how important this topic is!

Finally, follow the advice from OpenVPN CEO Francis Dinha on educating your staff:

“Create a process everyone knows how to follow, including a two-factor authentication system, strong passwords, and access to a private network…Having the best security tech in the world will mean nothing if your staff isn’t taking it seriously.”

Cybersecurity is, after all, a team effort.